validating jwt from client credentials flow

[rbro]

I am looking to validate a JWT issued by Okta for the Client Credentials flow. Please let me know if this should be asked instead in the Okta dev forums.

I am building an API that many other systems will call for machine to machine communication. Each system hits the same URL in the API. From what I understand with the Client Credentials flow, each system will have a separate application in Okta, so each will have its own client id.

When using okta-jwt-verifier-php, it seems that I have to pass a client id using setClientId(). If I don't, I get back an error "ClientId does not match what is expected".

I could be misunderstanding how Client Credentials works, but in this scenario, each JWT will have a different client id since each system will have its own application. Is that correct, and if so, is there a way that I can validate JWT's where the client id could be one of many possible valid client ids? I will be validating the client id in my own code after the JWT is verified.

Or does the Client Credentials flow work differently?

Thank you for your help.

[bretterer]

@rbro could you please respond with reproduction steps for getting your error. I believe I know what is going on, but want to be sure by seeing your configuration and reproduction steps first.

[rbro]

I was trying the below where dev.okta.com is my Okta URL:

$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
    ->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
    ->setAudience('api://default')
    ->setIssuer('https://dev.okta.com/oauth2/default')
    ->build();

$jwt = $jwtVerifier->verify($jwtString);

Because cid was a claim in my JWT, I was getting the error "ClientId does not match what is expected".

I'm first more interested if this is the correct way to validate a JWT from the Client Credentials flow as again, I believe the client id will be different for each application, so there won't be a single client id to pass in setClientId() - but wanted to confirm that first. Thanks.

[bretterer]

Yes, That would be the correct way to do it. You do need to use setClientId() for this.

For the issue of different clientId's, we suggest that you dynamically build your jwt verifier as you go and place the clientId for the specific application at generation time of the verifier.

[rbro]

Thanks - in my case, all the clients/applications connecting to the API are hitting the same URL, so when I validate the JWT, there are one of many possible ClientID's that the JWT may have. Again because in the Client Credentials flow, each client is a separate application, so each gets a different ClientID.

[bretterer]

@rbro unfortunately, there is no way to handle this in the current library. We will look into adding this as an enhancement in a future release of this library.