Okta JWT as header Authorization Bearer Token

[justinlevi]

Question 💬

Thanks in advance for any help. Really appreciative of all the work that's gone into this project.

I'm likely missing something fundamental, and just going in circles at this point, but hoping someone can point me in the right direction. I'm pretty new to NextJS and Oath2.0 in general so apologies if there is something basic I'm missing here.

---

Overview:

I have a NextJS App with an external GraphQL API. I need to authenticate via Okta and pass along the accessToken to the external API via an Authorization header. On the external Apollo GraphQL API I then need to verify the token against Okta for each GraphQL query/mutation to ensure the current user has permission to access a given resource.

What I have tried:

I setup an api proxy in my NextJs app based on @iaincollins response on issue #320, with the thought that I could set the Authorization header there using .
#320 (comment)

import { getToken } from 'next-auth/jwt';

...// skipping proxy code

const token = await getToken({ req, secret, raw: true });
proxyReq.setHeader('Authorization', `Bearer ${token}`)

This does set the header, which I can then access via the API. The problem is when I try to verify this token from the API with Okta, I get the following error:

AuthenticationError: JwtParseError: Unexpected signature algorithm

Side note: this is the proxy approach I took using createProxyMiddleware.
vercel/next.js#14057

Using jwt.io, If I look at the token, I can see that algorithm is using "alg": "HS512" which is the default algo that NextAuth uses to encode the JWT.

I also tried using the code from #320 to get the encrypted token from the session cookies

const secureCookieName = '__Secure-next-auth.session-token'
  const insecureCookieName = 'next-auth.session-token'
  const encryptedToken = req.cookies[secureCookieName] || req.cookies[insecureCookieName]

  // Decrypt using secret and return as string
  const decryptedBytes = CryptoJS.AES.decrypt(encryptedToken, secret)
  const token = decryptedBytes.toString(CryptoJS.enc.Utf8)

  // Still signed but not encrypted (this is what you want)
  console.log(token)
  

But I get the error Error: Malformed UTF-8 data which doesn't make any sense to me.

My secret environment variable is set to a random set of characters.

Question/Issues:

• Do I need to override the NextAuthOptions -> jwt -> encode/decode functions to use the RS256 algo, which is what Okta expects? (example here? getToken returns null when raw=false, but works with raw=true #523 (comment))
• Do I need to generate my own keys using the RS256 Algo using node-jose-tools based off the thread I'm seeing here? How to resolve [next-auth][warn][jwt_auto_generated_signing_key] #484
• Won't the NextAuth encoded JWT authorization token be invalid when I ultimately verify on my API with Okta as NextAuth is using a different secret key to encode a new jwt?
• Seems that I may need to implement a local getToken function based off this thread
  getToken returns null when raw=false, but works with raw=true #523 (comment)

At this point my head is generally spinning and I'm not sure where to turn. This feels like a pretty common requirement so I'm wondering if I'm missing something obvious.

Some reference issues I've found that seem to have similar issues:
#320
#1290
#523 (comment)

Using getToken
https://github.com/nextauthjs/next-auth-example/blob/main/pages/api/examples/jwt.js

How to reproduce ☕️

I'm working on putting together a simple demo example and will try to update this issue.

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[balazsorban44]

the Okta token is not the same as the one generated by NextAuth.js

[balazsorban44]

https://next-auth.js.org/configuration/callbacks#jwt-callback

check out the account param

[justinlevi]

Thank you! Thank you! Fantastic!!!

I can see the Okta RS256 token via token.access_token on the account and I can set it like:

    async jwt(token, user, account, profile, isNewUser) {
      
      if (account && account.access_token) {
        token.accessToken = account.access_token;
      }
      return token;
    }
    

How would I then access this via my proxy api route?

getToken returns the NextAuth token and not the Okta accessToken.

[balazsorban44]

getToken literally gives you the content what you return in jwt. just don't use the raw:true flag

[justinlevi]

@balazsorban44 thank you again so much for your help. Learning a new library is tricky for me and it's really appreciated that you took the time to respond. Cheers.

[balazsorban44]

No problem! Ideally, our documentation would help you out, so if you had a look and still did not understand, we appreciate any feedback!