[JWT] Having trouble validating token from Okta

Forge Component
(8)
Published on 2018-10-10 by João Almeida
8 votes
Published on 2018-10-10 by João Almeida

Hello,

I used this to implement OAuth 2.0 and OpenID Connect functionality from Okta and I'm having trouble validating the ID Token from them with this module. I have a valid token and JWK from Okta as far as I know, but I noticed the JWK doesn't have an x5c node which seems to be important in the validation process when using the RS256 algorithm. I am new to OpenID Connect and JWTs and just starting to get a hang of this stuff so I am a little confused and not able to find much helpful information on Google for this situation.

Thanks

Kevin VanderWulp wrote:

Hello,

I used this to implement OAuth 2.0 and OpenID Connect functionality from Okta and I'm having trouble validating the ID Token from them with this module. I have a valid token and JWK from Okta as far as I know, but I noticed the JWK doesn't have an x5c node which seems to be important in the validation process when using the RS256 algorithm. I am new to OpenID Connect and JWTs and just starting to get a hang of this stuff so I am a little confused and not able to find much helpful information on Google for this situation.

Thanks

Hi Kevin, could you give me some more details on your test case?


João Almeida wrote:

Kevin VanderWulp wrote:

Hello,

I used this to implement OAuth 2.0 and OpenID Connect functionality from Okta and I'm having trouble validating the ID Token from them with this module. I have a valid token and JWK from Okta as far as I know, but I noticed the JWK doesn't have an x5c node which seems to be important in the validation process when using the RS256 algorithm. I am new to OpenID Connect and JWTs and just starting to get a hang of this stuff so I am a little confused and not able to find much helpful information on Google for this situation.

Thanks

Hi Kevin, could you give me some more details on your test case?


I can give you the signing key and token. It's saying "Unable to open public key. Validate if private key is in PEM format."

Token:
eyJraWQiOiJvbWh0QndxMEVaNlhFREZ4TWpfUEFoNkVRaS1VTnFBckRsMGk4dkItREpnIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVlazJ6NmRyZ2dBZmt6ODBoNyIsIm5hbWUiOiJLZXZpbiBWYW5kZXJXdWxwIiwiZW1haWwiOiJrdnd1bHBAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi03NjIyNjEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hanJ3bTZyNlowT0VocWwwaDciLCJpYXQiOjE1NTU5NzM3NjgsImV4cCI6MTU1NTk3NzM2OCwianRpIjoiSUQuT2czWXhFZkVXbmJ2QUZYeDZPREIzSG8yYXI4cWRUTW5qdVNyS0hoRm5KayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZWsyejZiZERXZmw3aHMwaDciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJrdnd1bHBAZ21haWwuY29tIiwiYXV0aF90aW1lIjoxNTU1OTU2OTE3LCJhdF9oYXNoIjoia0U5WDRDMTRYd09aNl9lTFNGaXN3QSJ9.D5xlvKwwDh6c4YEAnlevUlKTT7A_wKDQy5tx4uEdzoMdB81GjjQg9J2MqQmfKSi7Y-e6o8qCv0U3wKIX8c-wdz331xEvKs7tQ30RhFxRGFDCfz7VTRfL8oNGb8XVKu973JdhgkSBXWvCliTgB7r4JpenfPU62Po7llYknziKH_w3BrDYAjNSrGFJH_HpERheVHsxDCF8t4Z1xz7FZR2MRQqLPJoqxCsdKRn81SMfvUa06zP8QXRAmVlJQPThete6_Po5ysU9xgMIG_3viIgT1iAliV66a7WbC1YaP9zfxo19mX6zJtp5M1gRfaWYP6zspS_PPquP20Vj4lP0Zsu1Zw

Public Key:

{"kty":"RSA","alg":"RS256","kid":"omhtBwq0EZ6XEDFxMj_PAh6EQi-UNqArDl0i8vB-DJg","use":"sig","e":"AQAB","n":"jYCGMKOx7k1WbWsA8LgxiuWZW5dNlq3XNRAIQ84vOvCMGL4guluHz6fLzrcJbOIVQCvVuO5E-OM10BY1SD8PAkTrUyaVO42R2nKMcG5Ga6s8JHzPBpL8p1vaBS1WmxBZd3e7c62Wu4N6TFeZmH5D9DU3wERg3lo_ZXYzIni0kGPt3WtKr5C5fg-6Yhh3pYWnZCPfZ93LWid8Ur2g4fQ2HZXQqlAst_v-eMAR1PC6jjWtZ0Wi7iL1WSgsy4ZvBPDHcOJNMYe4kDggXUW2ekTG-qMlqmUXN4G1h_aMokgrj7TqRmuZssqepJjxJfTUd8BqLZgrelpTGECFG6rxAPF4rw"}



Kevin VanderWulp wrote:

João Almeida wrote:

Kevin VanderWulp wrote:

Hello,

I used this to implement OAuth 2.0 and OpenID Connect functionality from Okta and I'm having trouble validating the ID Token from them with this module. I have a valid token and JWK from Okta as far as I know, but I noticed the JWK doesn't have an x5c node which seems to be important in the validation process when using the RS256 algorithm. I am new to OpenID Connect and JWTs and just starting to get a hang of this stuff so I am a little confused and not able to find much helpful information on Google for this situation.

Thanks

Hi Kevin, could you give me some more details on your test case?


I can give you the signing key and token. It's saying "Unable to open public key. Validate if private key is in PEM format."

Token:
eyJraWQiOiJvbWh0QndxMEVaNlhFREZ4TWpfUEFoNkVRaS1VTnFBckRsMGk4dkItREpnIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVlazJ6NmRyZ2dBZmt6ODBoNyIsIm5hbWUiOiJLZXZpbiBWYW5kZXJXdWxwIiwiZW1haWwiOiJrdnd1bHBAZ21haWwuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi03NjIyNjEub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hanJ3bTZyNlowT0VocWwwaDciLCJpYXQiOjE1NTU5NzM3NjgsImV4cCI6MTU1NTk3NzM2OCwianRpIjoiSUQuT2czWXhFZkVXbmJ2QUZYeDZPREIzSG8yYXI4cWRUTW5qdVNyS0hoRm5KayIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZWsyejZiZERXZmw3aHMwaDciLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJrdnd1bHBAZ21haWwuY29tIiwiYXV0aF90aW1lIjoxNTU1OTU2OTE3LCJhdF9oYXNoIjoia0U5WDRDMTRYd09aNl9lTFNGaXN3QSJ9.D5xlvKwwDh6c4YEAnlevUlKTT7A_wKDQy5tx4uEdzoMdB81GjjQg9J2MqQmfKSi7Y-e6o8qCv0U3wKIX8c-wdz331xEvKs7tQ30RhFxRGFDCfz7VTRfL8oNGb8XVKu973JdhgkSBXWvCliTgB7r4JpenfPU62Po7llYknziKH_w3BrDYAjNSrGFJH_HpERheVHsxDCF8t4Z1xz7FZR2MRQqLPJoqxCsdKRn81SMfvUa06zP8QXRAmVlJQPThete6_Po5ysU9xgMIG_3viIgT1iAliV66a7WbC1YaP9zfxo19mX6zJtp5M1gRfaWYP6zspS_PPquP20Vj4lP0Zsu1Zw

Public Key:

{"kty":"RSA","alg":"RS256","kid":"omhtBwq0EZ6XEDFxMj_PAh6EQi-UNqArDl0i8vB-DJg","use":"sig","e":"AQAB","n":"jYCGMKOx7k1WbWsA8LgxiuWZW5dNlq3XNRAIQ84vOvCMGL4guluHz6fLzrcJbOIVQCvVuO5E-OM10BY1SD8PAkTrUyaVO42R2nKMcG5Ga6s8JHzPBpL8p1vaBS1WmxBZd3e7c62Wu4N6TFeZmH5D9DU3wERg3lo_ZXYzIni0kGPt3WtKr5C5fg-6Yhh3pYWnZCPfZ93LWid8Ur2g4fQ2HZXQqlAst_v-eMAR1PC6jjWtZ0Wi7iL1WSgsy4ZvBPDHcOJNMYe4kDggXUW2ekTG-qMlqmUXN4G1h_aMokgrj7TqRmuZssqepJjxJfTUd8BqLZgrelpTGECFG6rxAPF4rw"}




Basically, I get that token back from signing in to Okta as a user and then I was going to call ReadAndValidateTokenWithJsonWebKey to validate the token with the JWK I got from Okta's API for the auth server that generated that token before logging them into my application