OAuth2 client credentials flow not working for clients with multiple JWK keys
emanor-okta opened this issue · 4 comments
The OAuth2 client credentials flow fails for clients with multiple JWK keys, when attempting to get an access token:
[OktaApiError: Okta HTTP 401 undefined ] {
status: 401,
errorCode: undefined,
errorSummary: '',
errorCauses: undefined,
errorLink: undefined,
errorId: undefined,
url: 'https://{DOMAIN}.okta.com/oauth2/v1/token',
headers: Headers {
[Symbol(map)]: [Object: null prototype] {
date: [Array],
server: [Array],
'content-type': [Array],
'x-okta-request-id': [Array],
'x-xss-protection': [Array],
p3p: [Array],
'x-rate-limit-limit': [Array],
'x-rate-limit-remaining': [Array],
'x-rate-limit-reset': [Array],
'cache-control': [Array],
pragma: [Array],
expires: [Array],
'expect-ct': [Array],
'x-content-type-options': [Array],
'strict-transport-security': [Array],
'set-cookie': [Array],
connection: [Array],
'transfer-encoding': [Array]
}
}
}
It appears that the API call to /oauth2/v1/token works with no issues for clients that only have one JWK (regardless of whether the JWK has a kid or not).
However, based on my tests, when multiple JWKs are configured for the same client, the API appears to accept only client_assertion JWTs that include the kid of the signing key in the header.
Unfortunately, the SDK does not offer a way to add a header to the signed JWT, so attempts to get a token fail with the error above.
If I modify the current implementation of https://github.com/okta/okta-sdk-nodejs/blob/master/src/jwt.js and add the following after line number 63,
.setHeader('kid', jwk.kid);
I am able to login and retrieve an access token. Please implement a way of adding the kid of the signing key in the JWT header, if needed.
Thanks for the detailed report @emanor-okta, we'll look into this.
Internal Ref: OKTA-363821
I am experiencing this as well.
Internal Jira OKTA-386883
@emanor-okta @eshleebien @codepadma fix was released in 4.6.0