JWT strategy domain issue

Question

JWT strategy domain issue

Closed this issue 4 years ago · 1 comments

You have a problem in your code:

super({
  secretOrKeyProvider: passportJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${configService.get<string>(
      'auth.domain',
    )}/.well-known/jwks.json`,
  }),

  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  audience: configService.get<string>('auth.audience'),
  issuer: `https://${configService.get<string>('auth.domain')}`,
  algorithms: ['RS256'],
});

the issuer property must end with a slash. I suggest you do this:

const issuerUrl = configService.get<string>('auth.domain').replace(/\/*$/, '');
super({
  secretOrKeyProvider: passportJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${issuerUrl}/.well-known/jwks.json`,
  }),

  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  audience: configService.get<string>('auth.audience'),
  issuer: `https://${issuerUrl}/`,
  algorithms: ['RS256'],
});

to always ensure it's passed correctly.

Answer 1 · 2021-03-14T09:11:58.000Z

Sorry, it took a while, it should be fixed now.