Verifying Access Tokens Generated from Multiple Client IDs with Okta

Question

I have two applications using the same backend. Both frontend applications uses different client IDs. what is the best way to go about verifying access tokens for both frontend applications. Below is the basic structure of what I have.

const OktaJwtVerifier = require('@okta/jwt-verifier');

const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: process.env.OKTA_ISSUER,
  clientId: process.env.OKTA_CLIENT_ID

});

const oktaToken = await oktaJwtVerifier.verifyAccessToken(accessTokenString,[
    process.env.OKTA_CLIENT_ID,
]);

Is there a way to send in an array of issuer and clientId? The objective is to verify access tokens coming generated from two applications APP X and APP Y, that is, clientId X and clientId Y

Answer 1

You don't need to verify the client id, as it's one used to obtain the token. Okta's GitHub repo README.md gives you an idea of claims/conditions to be verified for access tokens (https://github.com/okta/okta-jwt-verifier-js#access-tokens), so please check.

Here is a snipper from the verification library, which shows that you don't need client_id for access token verification

  async verifyAccessToken(accessTokenString, expectedAudience) {
    // njwt verifies expiration and signature.
    // We require RS256 in the base verifier.
    // Remaining to verify:
    // - audience claim
    // - issuer claim
    // - any custom claims passed in

    const jwt = await this.verifyAsPromise(accessTokenString);
    verifyAudience(expectedAudience, jwt.claims.aud);
    verifyIssuer(this.issuer, jwt.claims.iss);
    verifyAssertedClaims(this, jwt.claims);

    return jwt;
  }

In general, it doesn't matter what was the client id, through which a token got obtained, but rather the content of the token:

• who it is for
• who issued it
• its expiration time
• scopes
• custom claims

If you are concerned about client IDs, you can eliminate it on authZ server level by introducing constraints for its access policy/rule.