Skip to content

AccessTokenVerifier missing client_id validation - security regression from JWTVerifier #84

New issue
New issue
Open
Open
AccessTokenVerifier missing client_id validation - security regression from JWTVerifier#84
@jolanglinais

Description

@jolanglinais
jolanglinais
opened on Jul 29, 2025

Problem

The new AccessTokenVerifier class is missing Client ID validation that was present in the soon-to-be deprecated JWTVerifier. This creates a security regression where tokens issued for other applications within the same Okta domain could potentially be accepted.

Background

The deprecation warning has been present in the codebase for 4 years, so I'll tag @bretterer:

warnings.warn('JWTVerifier will be deprecated soon. '
              'For token verification use IDTokenVerifier or AccessTokenVerifier. '
              'For different jwt utils use JWTUtils.', DeprecationWarning)

When trying to migrate to the new verifiers, AccessTokenVerifier lacks critical security validation that was present in JWTVerifier.

Current Behavior

# Old JWTVerifier (secure)
jwt_verifier = JWTVerifier(
    issuer_url,
    client_id,  # ✅ Validates client ID
    audience,
    leeway=60
)

# New AccessTokenVerifier (insecure)
jwt_verifier = AccessTokenVerifier(
    issuer=issuer_url,
    audience=audience,  # ❌ No client_id parameter
    leeway=60
)

Expected Behavior

AccessTokenVerifier should include client ID validation to maintain the same security level as JWTVerifier (it currently has a stub string):

jwt_verifier = AccessTokenVerifier(
    issuer=issuer_url,
    client_id=client_id,  # ✅ Should validate client ID
    audience=audience,
    leeway=60
)

Security Impact

  • Before: Tokens were validated to ensure they were issued specifically for the correct client application
  • After: Tokens are only validated for issuer and audience, potentially allowing tokens from other applications in the same Okta domain

Workaround

Currently requires manual client ID validation after AccessTokenVerifier.verify():

# Verify basic JWT claims
await jwt_verifier.verify(token)

# Manually validate client ID
claims = jwt.get_unverified_claims(token)
if claims.get('cid') != expected_client_id:
    raise Exception("Invalid client ID")

Request

Add client_id parameter to AccessTokenVerifier constructor and implement client ID validation in the verify() method to maintain security parity with the deprecated JWTVerifier.

Environment

  • Library version: okta-jwt-verifier = "^0.2.9"
  • Python version: 3.13
  • Okta configuration: OIDC with access tokens

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions