Verification of JWT failed

Question

Verification of JWT failed

Closed this issue 4 years ago · 6 comments

I'm getting this error when I'm trying to test the examples on Windows 10.

My setup is:
Apache 2.4
PHP 7.4.9

Any ideas why this is happening?

Answer 1 · 2020-08-13T14:53:58.000Z

@carlospalmap I'm sorry, but I don't see any errors in your issue report. Could you please tell me what the error you are seeing is?

Answer 2 · 2020-08-13T19:26:44.000Z

My apologies, I didn't include more details. Here's what happened.
I'm able to see the index page, then I can log in with the Okta credentials but after a successful login on the Okta server I got an error in the return to localhost. I cannot see any error just the message "Verification of JWT failed" on this page http://localhost:8080/authorization-code/callback?code=[code]&state=applicationState.
Nothing about the error in the logs.

Here's the code where the message is generated.
if(verifyJwt($exchange->access_token) == false) { die('Verification of JWT failed'); }

BTW this error only happens in Windows, I tried the same example on Linux and it works fine.

Any clues about this problem?

Answer 3 · 2020-08-13T22:54:47.000Z

Hi @carlospalmap,

I was not able to reproduce the issue on Windows 2012 R2 server, with php version 7.2.6.

Have you modified the app in any way? If so, can you share it with us, so that we can run it in our environment?
If not, can you check if there's clock drift in your windows machine? JWT verification can fail if the expiration time set in the token by Okta has passed because of clock drift in the local machine.
Since you said that it works on Linux but not on windows, I'm guessing it to be the clock drift issue.

Answer 4 · 2020-08-14T00:42:43.000Z

I had to modify something to workaround another error.
This is the error:
Notice: SSL certificate problem: unable to get local issuer certificate in C:\Users\Carlos\Websites\samples-php\okta-hosted-login\index.php on line 115
Could not exchange code for an access token

On this part od the code:
$url = getenv("ISSUER").'/v1/token?' . $query;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, 1);

I had to add this to keep working:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

Could you explain more about clock drift?

Answer 5 · 2020-08-14T04:39:27.000Z

The access token returned by okta server has an issued at (iat) and expiration timestamp (exp) associated with it.
If the system time on your windows machine isn't synced correctly to unix time, it can cause issues with the verification of the token (The common case is if your system clock is lagging behind, the iat timestamp could be in the future which causes token validation to fail)
So, it's important to have your system time set correctly.

Answer 6 · 2021-01-21T16:07:30.000Z

We are closing this issue as stale. If you are still having issues, please update this ticket.