1

I have two applications using the same backend. Both frontend applications uses different client IDs. what is the best way to go about verifying access tokens for both frontend applications. Below is the basic structure of what I have.

const OktaJwtVerifier = require('@okta/jwt-verifier');

const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: process.env.OKTA_ISSUER,
  clientId: process.env.OKTA_CLIENT_ID

});

const oktaToken = await oktaJwtVerifier.verifyAccessToken(accessTokenString,[
    process.env.OKTA_CLIENT_ID,
]);

Is there a way to send in an array of issuer and clientId? The objective is to verify access tokens coming generated from two applications APP X and APP Y, that is, clientId X and clientId Y

Jam1
  • 629
  • 12
  • 25

1 Answers1

2

You don't need to verify the client id, as it's one used to obtain the token. Okta's GitHub repo README.md gives you an idea of claims/conditions to be verified for access tokens (https://github.com/okta/okta-jwt-verifier-js#access-tokens), so please check.

Here is a snipper from the verification library, which shows that you don't need client_id for access token verification

  async verifyAccessToken(accessTokenString, expectedAudience) {
    // njwt verifies expiration and signature.
    // We require RS256 in the base verifier.
    // Remaining to verify:
    // - audience claim
    // - issuer claim
    // - any custom claims passed in

    const jwt = await this.verifyAsPromise(accessTokenString);
    verifyAudience(expectedAudience, jwt.claims.aud);
    verifyIssuer(this.issuer, jwt.claims.iss);
    verifyAssertedClaims(this, jwt.claims);

    return jwt;
  }

In general, it doesn't matter what was the client id, through which a token got obtained, but rather the content of the token:

  • who it is for
  • who issued it
  • its expiration time
  • scopes
  • custom claims

If you are concerned about client IDs, you can eliminate it on authZ server level by introducing constraints for its access policy/rule.

Philipp Grigoryev
  • 1,985
  • 3
  • 17
  • 23
  • I know the client ID don't need to be verified, however, they are used to verify the access token. So access token generated with Client ID `X` needs to be verified with client ID `Y` – Jam1 Jun 22 '22 at 15:49
  • In further testing, I realize the client id and issuer is necessary to validate tokens coming in. – Jam1 Jun 22 '22 at 17:51
  • 1
    client_id is only required for id_token validation, for access you don't need it. I edited my response to include a snippet from the library you are using. Not sure where you found client_id as a required parameter – Philipp Grigoryev Jun 22 '22 at 22:32