Cannot read property 'keys' of undefined

[AlexandrTuniev]

Hey
We have a node js server, that running using your library for authentication.
There is a exception thrown from it.

[2016-03-18 16:58:08.180] [ERROR] errorHandler - Cannot read property 'keys' of undefined
TypeError: Cannot read property 'keys' of undefined
    at Metadata.generateOidcPEM (xxx\server\node_modules\passport-azure-ad\lib\passport-azure-ad\metadata.js:197:19)
    at Strategy.jwtVerify [as _verify] (xxx\server\node_modules\passport-azure-ad\lib\passport-azure-ad\bearerstrategy.js:176:36)
    at Strategy.authenticate (xxx\server\node_modules\passport-azure-ad\node_modules\passport-http-bearer\lib\strategy.js:132:10)
    at attempt (xxx\server\node_modules\passport\lib\middleware\authenticate.js:348:16)
    at authenticate (xxx\server\node_modules\passport\lib\middleware\authenticate.js:349:7)
    at Layer.handle [as handle_request] (xxx\server\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (xxx\server\node_modules\express\lib\router\index.js:312:13)
    at xxx\server\node_modules\express\lib\router\index.js:280:7
    at Function.process_params (xxx\server\node_modules\express\lib\router\index.js:330:12)
    at next (xxx\server\node_modules\express\lib\router\index.js:271:10)
    at initialize (xxx\server\node_modules\passport\lib\middleware\initialize.js:53:5)
    at Layer.handle [as handle_request] (xxx\server\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (xxx\server\node_modules\express\lib\router\index.js:312:13)
    at xxx\server\node_modules\express\lib\router\index.js:280:7
    at Function.process_params (xxx\server\node_modules\express\lib\router\index.js:330:12)
    at next (xxx\server\node_modules\express\lib\router\index.js:271:10)

Or some times it rejects valid json token, and messages, "An error was received validating the token secret or public key must be provided". I think it happens because at the time when token comes for validation the public key hasn't downloaded yet. For reproduce this issue I stop and start node server, and immediately after that make request. On later requests with the same token there isn't any issue.
Below is my node code.

if (env !== 'test') {
  app.use(passport.initialize());

  var authentication = require('./authentication/strategy');

  passport.use(authentication.bearerStrategy);

  app.use(passport.authenticate('oauth-bearer', {
    session: false
  }));
}

//Wire up routing
app.use('/dashboard/api/v1', router);

var env = process.env.NODE_ENV || 'development',
  adCredentials = require(__dirname + '/../config/config.json')[env].adCredentials,
  BearerStrategy = require('passport-azure-ad').BearerStrategy;

var options = {
  identityMetadata: adCredentials.identityMetadata,
  audience: adCredentials.audience,
  clientID: adCredentials.clientID,
  passReqToCallback: false,
  validateIssuer: true
};


exports.bearerStrategy = new BearerStrategy(options,
    function(token, done) {
        return done(null, token);
    }
);

Any help appreciated.
Thanks,
Sash

[AlexandrTuniev]

After some investigation found that issue connected with this,

 this.metadata.fetch(function(err) {
        if (err) {
            throw new Error("Unable to fetch metadata: " + err);
        }

    });


    function jwtVerify(req, token, done) {

        if (!options.passReqToCallback) {
            token = arguments[0];
            done = arguments[1];
            req = null;
            log.info('got token - going in to verification');
        }


        var decoded = jws.decode(token);
        if (decoded == null) {
            done(null, false, "Invalid JWT token.");
        }

        log.info('token decoded:  ', decoded);


        // We have two different types of token signatures we have to validate here. One provides x5t and the other a kid.
        // We need to call the right one.

        if (decoded.header.x5t) {
            PEMkey = this.metadata.generateOidcPEM(decoded.header.x5t);
        } else if (decoded.header.kid) {
            PEMkey = this.metadata.generateOidcPEM(decoded.header.kid);
        } else {
            throw new TypeError('We did not reveive a token we know how to validate');
        }



        if (options.validateIssuer) {
            options.issuer = this.metadata.oidc.issuer;
        }
        options.algorithms = this.metadata.oidc.algorithms;

        jwt.verify(token, PEMkey, options, function(err, token) {
            if (err) {
                if (err instanceof jwt.TokenExpiredError) {
                    log.warn("Access token expired");
                    done(null, false, 'The access token expired');
                } else if (err instanceof jwt.JsonWebTokenError) {
                    log.warn("An error was received validating the token", err.message);
                    done(null, false, util.format('Invalid token (%s)', err.message));
                } else {
                    done(err, false);
                }
            } else {
                log.info(token, 'was token going out of verification');
                if (options.passReqToCallback) {
                    log.info("We did pass Req back to Callback");
                    verify(req, token, done);
                } else {
                    log.info("We did not pass Req back to Callback");
                    verify(token, done);
                }
            }
        });
    }

jwtVerify function doesn't wait for metadata.fetch method's successful completion.

[brandwe]

Strange. This can be fixed with a waterfall and I thought I'd had done so. I'll look in to this now and get a fix in by EOW.

[AlexandrTuniev]

Are there any updates on this?