oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard

Published 20 hours ago verified publisher icon authts

InvalidTokenError: Invalid token specified: missing part #2

Open shadowfoxish opened this issue 5 months ago • 2 comments

I've created an IdP/sso server using OpenIddict, and I'm integrating the login mechanism into my React site.

I'm stuck on this problem and I can use some advice.

[JwtUtils.decode] InvalidTokenError: Invalid token specified: missing part #2

Basically, my SSO server is sending an access token in the /connect/token call, and the token looks "normal" in there, but, importantly I haven't put claims in it. (I was expecting the introspection endpoint or userinfo endpoints to be called, but the process isn't getting that far).

Everything leading up to this point seems to be working correctly, on Sign-In request, the site redirects to the SSO server, user authenticates/logs in, then is redirected back to the website with the /?code=blah bits attached. Then, there's a call made to the .well-known endpoint. Then there's a call to the sso's /connect/token endpoint, and the access_token is returned in the response, with token type of "bearer". The token is a 3 part format, [header].[token].[signature] , Thats when the InvalidTokenError happens, and the rest of the sign in process fails.

There's kind of 2 paths to take, both of which I'm having problems getting past. Path 1) How can I tell oidc-client-ts to tell jwt-decode there's a header part of this token? jwt-decode has a second method parameter which controls where it looks for the token data. I'd love to be able to print some debug code JwtUtil or jwt-decode to understand what its actually finding as the access_token, and I tried npx patch-package, but my JS chops are not up to snuff I guess, or the method I'm patching isn't coming from the places I've tried to modify.

Path 2) Since the token itself doesn't contain the claims anyway, how can I tell oidc-client-ts not to bother trying to read the access_token and use userinfo or introspection instead to get them?

Maybe there's something else I missed with how this is supposed to work.

This is the /.well-known/openid-configuration response:

{
  "issuer": "https://localhost:7179/",
  "authorization_endpoint": "https://localhost:7179/connect/authorize",
  "token_endpoint": "https://localhost:7179/connect/token",
  "introspection_endpoint": "https://localhost:7179/connect/introspect",
  "end_session_endpoint": "https://localhost:7179/connect/logout",
  "userinfo_endpoint": "https://localhost:7179/connect/userinfo",
  "jwks_uri": "https://localhost:7179/.well-known/jwks",
  "grant_types_supported": [
    "client_credentials",
    "authorization_code",
    "password",
    "refresh_token"
  ],
  "response_types_supported": [
    "code"
  ],
  "response_modes_supported": [
    "form_post",
    "fragment",
    "query"
  ],
  "scopes_supported": [
    "openid",
    "api",
    "email",
    "profile",
    "roles",
    "offline_access"
  ],
  "claims_supported": [
    "aud",
    "exp",
    "iat",
    "iss",
    "sub"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "claims_parameter_supported": false,
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "authorization_response_iss_parameter_supported": true
}

shadowfoxish avatar Aug 27 '24 18:08 shadowfoxish