Not compatible with authorization server

[DPflasterer]

Is there a reason this library is not compatible with the default authorization server?

It looks like the only difference is the "well known" address:
https://${yourOktaDomain}/.well-known/openid-configuration
vs
https://${yourOktaDomain}/oauth2/${authServerId}/.well-known/openid-configuration

Essentially, if not private it should use the domain and not the issuer to get the config and everything else should work, right? This seems easily doable by adding a setPublic flag on the JwtVerifierBuilder, or parsing the issuer for the authServerId and if one isn't set fall back on the default.

I see in these tickets 19 and 50 that this has been brought up before and the solution was to throw an exception instead of supporting the default authorization server.

Why?

[bretterer]

@DPflasterer Thank you for reporting this. In theory, this would work, but there is issues with validating the tokens against our org authorization server. There is the potential that you can get this working this way, but the intended use of the library was built around API Access Management.

I am going to play around with this for a little bit and see if I can get something working for you in the organizations authorization server. in the mean time, have you tried setting your issuer to only be https://${yourOktaDomain}?

[DPflasterer]

@bretterer Yes, I have tried that. It fails with a similar but different error. I have not had a chance to troubleshoot deeper than that.

Fatal error: Uncaught UnexpectedValueException: "kid" invalid, unable to lookup correct key in /app/vendor/firebase/php-jwt/src/JWT.php:112
Stack trace:
#0 /app/vendor/okta/jwt-verifier/src/Adaptors/FirebasePhpJwt.php(54): Firebase\JWT\JWT::decode('eyJraWQiOiJuYXV...', Array, Array)
#1 /app/vendor/okta/jwt-verifier/src/JwtVerifier.php(104): Okta\JwtVerifier\Adaptors\FirebasePhpJwt->decode('eyJraWQiOiJuYXV...', Array)

[jimhlad]

I am also running into the issues outlined by @DPflasterer .

@bretterer I was just curious if there are any additional steps we can take to resolve this issue?

[roy-pon]

@DPflasterer Thank you for reporting this. In theory, this would work, but there is issues with validating the tokens against our org authorization server. There is the potential that you can get this working this way, but the intended use of the library was built around API Access Management.

I am going to play around with this for a little bit and see if I can get something working for you in the organizations authorization server. in the mean time, have you tried setting your issuer to only be https://${yourOktaDomain}?

@bretterer any updates on this? Like to use this package with the default authorization server because we don't have a license for the API Access Management

[bretterer]

Currently there is no update on this. The only way for this library to function correctly is to use API Access Management.

[roy-pon]

Thanks for the quick response, any good sources I can use like another library or something like that by any change?

[bretterer]

@roy-pon If you are looking for basic JWT validation, you can take a look at any of the great libraries listed at https://jwt.io/libraries?language=PHP

[agawronski]

@bretterer I think the very first thing on the README should state that this does not work without custom authorization servers so that people don't waste their time.

[agawronski]

#102

[bretterer]

Merged into 1.4.0

Thank you!