OktaJwtVerifier SigningKeyNotFoundError API based auth

[jeroenransijn]

I have been bashing my head against the APIs for a couple of days trying to use it as my auth/user system for application without using the login window. I am new to auth and Okta and it's hard to figure out all the different parts.

Then when I thought I finally put everything together correctly, I got SigningKeyNotFoundError.

My code is almost identical to the example. I don't understand what I am doing different than what's in the repo.

I also saw this other issue that might be related #46 — just don't know how my situation is similar or different.

Check out my implementation

function getAccessToken({ code }) {
  const url = `https://dev-{code}.oktapreview.com/oauth2/v1/token?grant_type=authorization_code&code=${code}&redirect_uri=${redirectUri}`;
  const base64ClientIdSecret = Buffer.from(
    `${clientId}:${clientSecret}`,
  ).toString('base64');
  return axios({
    method: 'post',
    headers: {
      Authorization: `Basic ${base64ClientIdSecret}`,
      'Content-Type': 'application/x-www-form-urlencoded',
    },
    url,
  });
}

// https://github.com/okta/okta-oidc-js/blob/master/packages/jwt-verifier/test/util.js
router.post('/login', (req, res) => {
  console.log('login');
  login(req)
    .then(response => {
      getAuthCode({ sessionToken: response.data.sessionToken })
        .then(authResponse => {
          const responseUrl = authResponse.request.res.responseUrl // eslint-disable-line
          const match = responseUrl.match(/access_token=([^&]+)/);
          const accessToken = match && match[1];

          console.log('responseUrl', responseUrl);
          console.log('accessToken', accessToken);

          oktaJwtVerifier
            .verifyAccessToken(accessToken)
            .then(jwt => {
              res.status(200).send({ status: 'success', jwt });
            })
            .catch(err => {
              console.log(err);
              res.status(401).send({
                status: 'failure',
                message: 'Unable to verify',
              });
            });
        })
        .catch(error => {
          if (error.response) {
            // The request was made and the server responded with a status code
            // that falls out of the range of 2xx
            console.log(error.response.data);
            console.log(error.response.status);
            console.log(error.response.headers);
          } else if (error.request) {
            // The request was made but no response was received
            // `error.request` is an instance of XMLHttpRequest in the browser and an instance of
            // http.ClientRequest in node.js
            console.log(error.request);
          } else {
            // Something happened in setting up the request that triggered an Error
            console.log('Error', error.message);
          }
          console.log(error.config);
          console.log('Error', error.message);
        });
    })
    // eslint-disable-next-line
    .catch(error => {
      console.log(error.message);
      res.status(500).send({
        message: 'Server Error',
      });
    });
});

---

I am new to Auth and all these things, I was hoping it be a little easier, most of the examples use the Okta login widget — I need a custom login.

[robertjd]

Hi @jeroenransijn. Looking at the code above, I see you're using oauth2/v1/token which is the org-level authorization server (AS). That is meant for logging into the Okta org itself. For your own application you'll need to create a custom AS. New orgs get a default custom AS with the URL oauth2/default/v1/token. This what we're talking about in #46. For both token creation and validation you'll want to use a custom AS. Hope this helps!

[omgitstom]

@jeroenransijn I'm going to close this. Let us know if you are still running into an issue.