Okta backend verification of Access Token generated in PKCE flow



  • I'm looking to verify the security of the OAuth mechanism for an application I'm testing. The application uses Okta for SSO and the PKCE OAuth flow.

    What I'm not clear on is how the backend is verifying the Access Token, given the configuration supplied to the Okta SDK. The only configuration passed to the SDK is the Okta Domain - https://dev-xxxxx.okta.com

    On monitoring the traffic from the app, I can see calls to the following endpoints on application startup. Following this no further calls appear to be made to Okta on authorizing requests.

    It appears that the later of the two requests below fetches a set of keys. I'm thinking maybe these keys are used in the verification of the access token, but since these keys are publicly available via the URL, I'm unsure how this would work.

    services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
        options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
        options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
    })
    .AddOktaWebApi(new OktaWebApiOptions
    {
        OktaDomain = Configuration["OktaDomain"],
        ClockSkew = TimeSpan.FromMinutes(2)
    });
    
    services.AddAuthorization(options =>
    {
        // ...
    });
    

    So my question is - what mechanism is Okta using to verify that the signature of the JWT token is valid on the backend?



  • Okta and the client app are using RSA as the underlying verification mechanism. Okta signs its JWTs using the private half of an RSA keypair and publishes the public half of the keypair at that /keys endpoint. The JWT contains the ID of the key that was used to sign it, so the client app can then retrieve the public key and use it to verify that the JWT was signed using the corresponding private key. If the signature verification succeeds then the client can infer that Okta issued the token and that its payload hasn't been altered, since Okta is the only party who has access to the private key.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2