You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This strategy uses a full auth code flow so an ID token is fetched by the app directly from Okta token endpoint in exchange to authorization code.
Therefore I assume the fact that token comes from predefined URL through HTTPS protocol is sufficient for token verification.
UPD:
My original comment was more about signature verification.
As for separate claims verification, indeed from version 2 of ruby-jwt gem behavior of a verify option has changed.
If it is set to false, than verification is completely skipped, even if separate claim verification options are set to true.
Security bug(??)
The call to
JWT.decode()
omniauth-okta/lib/omniauth/strategies/okta.rb
Lines 97 to 110 in b7d530a
true
(verify = true
) to allow claim verification.The
verify_*
options do not do anything unlessverify = true
(line 99).see: https://github.com/jwt/ruby-jwt/blob/0ae9af6fd5f5085588a65accb2a23587c52ac637/lib/jwt/decode.rb#L26-L32
The text was updated successfully, but these errors were encountered: