okta-auth-js icon indicating copy to clipboard operation
okta-auth-js copied to clipboard

Published 20 hours ago verified publisher icon okta

OktaAuth generate a wrong access token sometimes

Open WeipingGan opened this issue 3 years ago • 3 comments

my okta-auth version is

"@okta/okta-auth-js": "^5.3.1",
"@okta/okta-react": "^6.1.0",

and my code is

const oktaConfig: {
        clientId: clientId,
        issuer: issuer,
        redirectUri: window.location.origin + '/login/callback',
        scopes: ['openid', 'profile', 'email'],
        pkce: true,
        disableHttpsCheck: true,
}

export const oktaAuth = new OktaAuth({
  oktaConfig,
  transactionManager: {
    saveNonceCookie: false,
    saveStateCookie: false,
    saveParamsCookie: false
  }
});

export const getUserToken = () => {
  return {
    accessToken: oktaAuth.authStateManager.getAuthState().accessToken.accessToken
  }
}

Sometimes it generate a outdated token and carried a wrong kid. For example, on January 3, 2022, it generated a token for November 2021 with an unverifiable kid, I checked the okta keys interface and did not find this kid. what is the problem? Could anyone help me?

WeipingGan avatar Jan 04 '22 07:01 WeipingGan

@WeipingGan That is certainly a strange issue! One thought I have is that it may be another application in another tab which is served on the same domain and is using the same storage key.

By default, token values are synchronized between tabs when the storageType is "localStorage". You could set the storageType to "sessionStorage" to disable synchronizing between tabs https://github.com/okta/okta-auth-js#storagetype

If the problem is two apps sharing a storage key, one or both apps can set their storage key value so as to not conflict: https://github.com/okta/okta-auth-js#storagekey

aarongranick-okta avatar Jan 05 '22 01:01 aarongranick-okta

Thanks @aarongranick-okta, yeah, I guess so. Maybe some other application modified the local storage. But the very strange point is why the kid is different and the expiration time is still two months ago. You know that for the same issuer, the keys return the same response, and maybe at the past moment, the kid is not the same. Then this user can't have not refreshed the browser for two months, so weird. Anyway, let me try the session storage.

WeipingGan avatar Jan 05 '22 01:01 WeipingGan

Hi, I encounter the same kind of issue as describe above. I'm able to generate the access_token from the okta dashboard with the right kid, but when I generate through a react native application, the kid used to generate the access_token doesn't exist in any "well-know" endpoint of the okta domain. I double checked the configuration used to configure the okta client, everything looks good (replaced but all field used):

{
      clientId: 'okta-client-id',
      discoveryUri: 'https://dev-123.okta.com',
      endSessionRedirectUri: 'app.domain.okta:/auth/logout',
      issuer: 'https://dev-123.okta.com/oauth2/default',
      redirectUri: 'app.domain.okta:/auth/login',
      requireHardwareBackedKeyStore: false,
      scopes: ['openid', 'profile', 'offline_access'],
    }

Dallas62 avatar Feb 17 '22 10:02 Dallas62