npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@okta/jwt-verifier

v4.0.1

Published

Easily validate Okta access tokens

Downloads

987,686

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

oktauploaderoktauploader

Keywords

oktaoidcOpenId Connectauthenticationauthjwt

Readme

Okta JWT Verifier for Node.js

npm version build status

This library verifies Okta access and ID tokens by fetching the public keys from the JWKS endpoint of the authorization server.

This library is for Node.js applications and will not compile into a front-end application. If you need to work with tokens in front-end applications, please see okta-auth-js.

Using Express? Our Express Resource Server Example will show you how to use this library in your Express application.

Release Status

:heavy_check_mark: The current stable major version series is: 4.x

| Version | Status | | ------- | -------------------------------- | | 4.x | :heavy_check_mark: Stable | | 3.x | :warning: Retiring on 2025-01-31 | | 2.x | :x: Retired | | 1.x | :x: Retired | | 0.x | :x: Retired |

The latest release can always be found on the [releases page][github-releases].

Access Tokens

This library verifies Okta access tokens (issued by Okta Custom Authorization servers) by fetching the public keys from the JWKS endpoint of the authorization server. If the access token is valid it will be converted to a JSON object and returned to your code.

You can learn about access tokens, scopes and claims in our OIDC and OAuth 2.0 API Referece.

Okta Custom Authorization Servers require the API Access Management license. If you are using Okta Org Authorization Servers (which don’t require API Access Management) you can manually validate against the /introspect endpoint ( https://developer.okta.com/docs/reference/api/oidc/#introspect ).

For any access token to be valid, the following are asserted:

  • Signature is valid (the token was signed by a private key which has a corresponding public key in the JWKS response from the authorization server).
  • Access token is not expired (requires local system time to be in sync with Okta, checks the exp claim of the access token).
  • The aud claim matches any expected aud claim passed to verifyAccessToken().
  • The iss claim matches the issuer the verifier is constructed with.
  • Any custom claim assertions that have been configured.

To learn more about verification cases and Okta's tokens please read Validate Access Tokens.

ID Tokens

This library verifies Okta ID tokens (issued by Okta Custom Authorization servers or Okta Org Authorization Server) by fetching the public keys from the JWKS endpoint of the authorization server. If the token is valid it will be converted to a JSON object and returned to your code.

You can learn about ID tokens, scopes and claims in our OIDC and OAuth 2.0 API Referece.

For any ID token to be valid, the following are asserted:

  • Signature is valid (the token was signed by a private key which has a corresponding public key in the JWKS response from the authorization server).
  • ID token is not expired (requires local system time to be in sync with Okta, checks the exp claim of the ID token).
  • The aud claim matches the expected client ID passed to verifyIdToken().
  • The iss claim matches the issuer the verifier is constructed with.
  • The nonce claim matches the expected nonce.
  • Any custom claim assertions that have been configured.

To learn more about verification cases and Okta's tokens please read Validate ID Tokens.

Upgrading

For information on how to upgrade between versions of the library, see UPGRADING.md

How to use

npm install --save @okta/jwt-verifier

Create a verifier instance, bound to the issuer (authorization server URL):

const OktaJwtVerifier = require('@okta/jwt-verifier');

const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: 'https://{yourOktaDomain}/oauth2/default' // required
});

Verify access tokens

oktaJwtVerifier.verifyAccessToken(accessTokenString, expectedAud)
.then(jwt => {
  // the token is valid (per definition of 'valid' above)
  console.log(jwt.claims);
})
.catch(err => {
  // a validation failed, inspect the error
});

The expected audience passed to verifyAccessToken() is required, and can be either a string (direct match) or an array of strings (the actual aud claim in the token must match one of the strings).

// Passing a string for expectedAud
oktaJwtVerifier.verifyAccessToken(accessTokenString, 'api://default')
.then(jwt => console.log('token is valid') )
.catch(err => console.warn('token failed validation') );

oktaJwtVerifier.verifyAccessToken(accessTokenString, [ 'api://special', 'api://default'] )
.then(jwt => console.log('token is valid') )
.catch(err => console.warn('token failed validation') );

Verify ID tokens

oktaJwtVerifier.verifyIdToken(idTokenString, expectedClientId, expectedNonce)
.then(jwt => {
  // the token is valid (per definition of 'valid' above)
  console.log(jwt.claims);
})
.catch(err => {
  // a validation failed, inspect the error
});

The expected client ID passed to verifyIdToken() is required. Expected nonce value is optional and required if the claim is present in the token body.

Example return values of verifyIdToken and verifyAccessToken:

{
  header: {
    typ: 'JWT',
    alg: 'RS256',
    kid: 'keyId'
  },
  claims: {
    sub: 'sub',
    name: 'name',
    email: 'email',
    ver: 1,
    iss: 'https://foobar.org/oauth2/default',
    aud: 'aud',
    iat: 1657621175,
    exp: 1657624775,
    jti: 'jti',
    amr: [ 'pwd' ],
    idp: 'idp',
    nonce: 'nonce',
    preferred_username: '[email protected]',
    auth_time: 1657621173,
    at_hash: 'at_hash'
  },
  toString: () => 'base64-encoded token',
  isExpired: () => Boolean,
  isNotBefore: () => Boolean,
{
  userMessage: 'Jwt is expired',
  jwtString: 'base64-encoded token',
  parsedHeader: JwtHeader {
    typ: 'JWT',
    alg: 'RS256',
    kid: 'keyId'
  },
  parsedBody:
    ver: 1,
    jti: 'jti',
    iss: 'iss',
    aud: 'api://default',
    iat: 1657621175,
    exp: 1657621475,
    cid: 'cid',
    uid: 'uid',
    scp: [ 'openid', 'email', 'profile' ],
    auth_time: 1657621173,
    sub: '[email protected]'
  },
  innerError: undefined
}

Custom Claims Assertions

For basic use cases, you can ask the verifier to assert a custom set of claims. For example, if you need to assert that this JWT was issued for a given client id:

const verifier = new OktaJwtVerifier({
  issuer: 'https://{yourOktaDomain}/oauth2/default',
  clientId: '{clientId}'
  assertClaims: {
    cid: '{clientId}'
  }
});

Validation fails and an error is returned if the token does not have the configured claim.

For more complex use cases, you can ask the verifier to assert that a claim includes one or more values. This is useful for array type claims as well as claims that have space-separated values in a string.

You use the form: <claim name>.includes in the assertClaims object with an array of values to validate.

For example, if you want to assert that an array claim named groups includes (at least) Everyone and Another, you'd write code like this:

const verifier = new OktaJwtVerifier({
  issuer: ISSUER,
  clientId: CLIENT_ID,
  assertClaims: {
    'groups.includes': ['Everyone', 'Another']
  }
});

If you want to assert that a space-separated string claim name scp includes (at least) promos:write and promos:delete, you'd write code like this:

const verifier = new OktaJwtVerifier({
  issuer: ISSUER,
  clientId: CLIENT_ID,
  assertClaims: {
    'scp.includes': ['promos:write', 'promos:delete']
  }
});

The values you want to assert are always represented as an array (the right side of the expression). The claim that you're checking against (the left side of the expression) can have either an array (like groups) or a space-separated list in a string (like scp) as its value type.

NOTE: Currently, .includes is the only supported claim operator.

Custom JWKS URI

Custom JWKS URI can be provided. It's useful when JWKS URI cannot be based on Issuer URI:

const verifier = new OktaJwtVerifier({
  issuer: 'https://{yourOktaDomain}',
  clientId: '{clientId}',
  jwksUri: 'https://{yourOktaDomain}/oauth2/v1/keys'
});

Caching & Rate Limiting

  • By default, found keys are cached by key ID for one hour. This can be configured with the cacheMaxAge option for cache entries.
  • If a key ID is not found in the cache, the JWKs endpoint will be requested. To prevent a DoS if many not-found keys are requested, a rate limit of 10 JWKs requests per minute is enforced. This is configurable with the jwksRequestsPerMinute option.

Here is a configuration example that shows the default values:

// All values are default files
const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: 'https://{yourOktaDomain}/oauth2/default',
  clientId: '{clientId}',
  cacheMaxAge: 60 * 60 * 1000, // 1 hour
  jwksRequestsPerMinute: 10
});

Testing

Set up a SPA and a Web App in your Okta org and testing environment variables by following the Testing section in okta-oidc-js Monorepo's README.

NOTE:

When creating a SPA in your Okta org, please make sure all Implicit checks have been checked in the General Settings -> Application -> Allowed grant types section.

Command for running unit test:

yarn test:unit

Contributing

We welcome contributions to all of our open-source packages. Please see the contribution guide to understand how to structure a contribution.

Installing dependencies for contributions

We use yarn for dependency management when developing this package:

yarn install