okta-auth-js icon indicating copy to clipboard operation
okta-auth-js copied to clipboard

Published 20 hours ago verified publisher icon okta

'The request does not match client configuration' when using implicit flow through a gateway

Open jberube opened this issue 5 years ago • 7 comments

Hello.

I'm using the Implicit OAuth flow. I have different environments. Some goes through an access gateway, some don't. Both use a custom domain okta endpoint, which I'll refer to as mydomain.oktapreview.com .

I've used options authorizeUrl, tokenUrl, logoutUrl, revokeUrl, userinfoUrl to get sure that the calls to the okta API goes to my gateway. Which works for the authentication flow. So the calls goes to my gateway, but the issuer is mydomain.oktapreview.com .

I can get an idToken and accessToken that are valid. The issuer in them is mydomain.oktapreview.com, as expected.

When trying to renew my access token using authClient.tokenManager.get('accessToken'), I get the error "The request does not match client configuration", which I could trace to
https://github.com/okta/okta-auth-js/blob/master/packages/okta-auth-js/lib/token.js#L136

if (e.origin !== sdk.getIssuerOrigin()) {
  return reject(new AuthSdkError('The request does not match client configuration'));
}

In the case where authorizeUrl option is provided, shouldn't it's origin be used to compare with e.origin instead of sdk.getIssuerOrigin()?

jberube avatar Jul 14 '20 21:07 jberube

Forgot to mention that I'm using the latest version, 3.1.4.

jberube avatar Jul 14 '20 21:07 jberube

@jberube We will investigate this issue. In the meantime, you may be able to work around this by setting autoRenew option to false. You can listen to the 'expired' event and renew the token yourself, the renewToken call should accept the authorizeUrl option.

aarongranick-okta avatar Jul 20 '20 20:07 aarongranick-okta

Hi @aarongranick-okta , I've checked for that option. The problem here is that, when authorizeUrl is used, we're still comparing the origin of the event of the iframe (which will be the origin of authorizeUrl) to the issuer, which won't match it, since the issuer is mydomain.oktapreview.com while authorizeUrl will be something like https://mydomain.com/sso/auth2/{my authn id}}/v1/authorize.

So in the test above, e.origin is mydomain.com while sdk.getIssuerOrigin() returns mydomain.oktapreview.com.

jberube avatar Jul 21 '20 14:07 jberube

Internal Ref: OKTA-317715

swiftone avatar Jul 28 '20 17:07 swiftone

Stumbled across this issue today in our own testing but using PKCE. Once we changed the issuer in the configuration to match the iss expected in the JWT (which is different from the 'issuer' set in the authorizeUrl, worked just fine.

Understandable why the SDK is doing this check, but somewhat annoying.

eatplaysleep avatar Nov 03 '20 00:11 eatplaysleep

@eatplaysleep where can I find iss value?

enseitankad0 avatar May 06 '21 13:05 enseitankad0

@enseitankad0 this is a super delayed reply, but thought I might as well document it for others.

Easiest way... Just plug this into your browser (with the appropriate values): [https://{yourOktaOrg}/.well-known/openid-configuration?client_id={ClientId) <-- client_id is optional

Alterative method... Your issuer value can be found in the JWT itself. If you have one, just decode it (https://jwt.io) or, if you are using Okta CIS, you can generate a mock JWT via the API settings.

eatplaysleep avatar Feb 10 '23 23:02 eatplaysleep