Token claims are not verified

[lancerushing]

Security bug(??)

The call to JWT.decode()

omniauth-okta/lib/omniauth/strategies/okta.rb

Lines 97 to 110 in b7d530a

	JWT.decode(token,
	nil,
	false,
	verify_iss: true,
	verify_aud: true,
	iss: authorization_server_path,
	aud: authorization_server_audience,
	verify_sub: true,
	verify_expiration: true,
	verify_not_before: true,
	verify_iat: true,
	verify_jti: false,
	leeway: options[:jwt_leeway]
	).first

requires true (verify = true) to allow claim verification.

The verify_* options do not do anything unless verify = true (line 99).

see: https://github.com/jwt/ruby-jwt/blob/0ae9af6fd5f5085588a65accb2a23587c52ac637/lib/jwt/decode.rb#L26-L32

[lancerushing]

Something like this is needed: (not tested)

      JWT.decode(token,
                 nil,
                 true,
                 algorithm: 'RS256',
                 jwks: JSON.load(URI.open(JSON.load(URI.open(authorization_server_path) + "/.well-known/openid-configuration"))['jwks_uri'])),
                 verify_iss:        true,
                 iss:               authorization_server_path,
                 verify_aud:        true,
                 aud:               authorization_server_audience,
                 verify_sub:        true,
                 verify_expiration: true,
                 verify_not_before: true,
                 verify_iat:        true,
                 verify_jti:        false,
                 leeway:            60
      ).first

[okriuchykhin]

This strategy uses a full auth code flow so an ID token is fetched by the app directly from Okta token endpoint in exchange to authorization code.
Therefore I assume the fact that token comes from predefined URL through HTTPS protocol is sufficient for token verification.

UPD:
My original comment was more about signature verification.

As for separate claims verification, indeed from version 2 of ruby-jwt gem behavior of a verify option has changed.
If it is set to false, than verification is completely skipped, even if separate claim verification options are set to true.