Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support dev Okta JWT tokens #1790

Merged
merged 3 commits into from
May 28, 2024
Merged

feat: support dev Okta JWT tokens #1790

merged 3 commits into from
May 28, 2024

Conversation

ktwbc
Copy link
Contributor

@ktwbc ktwbc commented May 26, 2024
edited

Description

Need to work locally with an Okta dev JWT instead of cognito. There was only one key difference that had to be implemented.

Motivation and Context

Local httpApi JWT validation was written around Cognito but would not work with a dev JWT token from Okta. The only key difference is scopes provided as an scp array instead of a scopes text string, so the changes were just related to that. It will use the scp array if provided, but falls back to original behavior otherwise.

In unit tests, I did put in a new authorizer in the serverless.yml also reflecting the different audience and a JWT Okta example showing some other differences like cid vs client_id but the authorizer already handles those differences.

How Has This Been Tested?

Tested with dev key on my own project using serverless-offline pointing to file:// per docs from my original project
Wrote a unit test with an Okta JWT token in the same format
Ran full existing test suites

Screenshots (if appropriate):

@ktwbc
Copy link
Contributor Author

ktwbc commented May 26, 2024
edited

so I thought the unit test passed but I guess it didn't. I'm very confused because the feature works in real use, and I can log the output of createJWTAuthScheme.js using log.warning() and it builds the correct response converting scp into scopes:

{ credentials:
   { claims:
      { ver: 1,
        jti: 'AT.FMONSagvuix9mndLkk9VG5fxxxxxxxxsv8KcgZJU',
        iss: 'https://dev-12345555.okta.com/oauth2/default',
        aud: 'api://default',
        iat: 1716743614,
        exp: 1716747214,
        cid: '0oa6k6m4wnwyxxxxx',
        uid: '00u5w9j9a8oTbxxxx',
        scp: [ 'openid', 'profile', 'email' ],
        auth_time: 1716734304,
        sub: '[email protected]' },
     scopes: [ 'openid', 'profile', 'email' ] } }

yet the unit test says that scopes is missing on the response.

@ktwbc
Copy link
Contributor Author

ktwbc commented May 27, 2024
edited

So it turns out that on createJWTAuthScheme the code that returns the scope entry ---

return h.authenticated({
          credentials: {
            claims,
            scopes, <------ ignored by calling function
          },
        })

doesn't actually do anything, the item passed back here are completely ignored. In fact, on my PR I commented out the variable as it made no difference on unit tests at all. That in itself may be a bug, but for the purposes of this PR, since the original code of testing scp works, and the test reflects that, I committed that version.

@ktwbc ktwbc mentioned this pull request May 27, 2024
Closed
@DorianMazur
Copy link
Collaborator

Thank you @ktwbc. Some code was missing in LambdaProxyIntegrationEvent class. Now everything works as expected. I will merge it after running CI.

@DorianMazur DorianMazur changed the title feat: 1789 implementing changes to allow Okta Dev tokens to work in h… feat: support dev Okta JWT tokens May 28, 2024
@DorianMazur DorianMazur merged commit 5139c43 into dherault:master May 28, 2024
9 checks passed
@ktwbc ktwbc deleted the feat-1789 branch May 28, 2024 18:06
@kwhi291 kwhi291 mentioned this pull request Aug 15, 2024
Merged
@mechanicalpete mechanicalpete mentioned this pull request Aug 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ktwbc @DorianMazur