Problem
The new AccessTokenVerifier class is missing Client ID validation that was present in the soon-to-be deprecated JWTVerifier. This creates a security regression where tokens issued for other applications within the same Okta domain could potentially be accepted.
Background
The deprecation warning has been present in the codebase for 4 years, so I'll tag @bretterer:
warnings.warn('JWTVerifier will be deprecated soon. '
'For token verification use IDTokenVerifier or AccessTokenVerifier. '
'For different jwt utils use JWTUtils.', DeprecationWarning)When trying to migrate to the new verifiers, AccessTokenVerifier lacks critical security validation that was present in JWTVerifier.
Current Behavior
# Old JWTVerifier (secure)
jwt_verifier = JWTVerifier(
issuer_url,
client_id, # ✅ Validates client ID
audience,
leeway=60
)
# New AccessTokenVerifier (insecure)
jwt_verifier = AccessTokenVerifier(
issuer=issuer_url,
audience=audience, # ❌ No client_id parameter
leeway=60
)Expected Behavior
AccessTokenVerifier should include client ID validation to maintain the same security level as JWTVerifier (it currently has a stub string):
jwt_verifier = AccessTokenVerifier(
issuer=issuer_url,
client_id=client_id, # ✅ Should validate client ID
audience=audience,
leeway=60
)Security Impact
- Before: Tokens were validated to ensure they were issued specifically for the correct client application
- After: Tokens are only validated for issuer and audience, potentially allowing tokens from other applications in the same Okta domain
Workaround
Currently requires manual client ID validation after AccessTokenVerifier.verify():
# Verify basic JWT claims
await jwt_verifier.verify(token)
# Manually validate client ID
claims = jwt.get_unverified_claims(token)
if claims.get('cid') != expected_client_id:
raise Exception("Invalid client ID")Request
Add client_id parameter to AccessTokenVerifier constructor and implement client ID validation in the verify() method to maintain security parity with the deprecated JWTVerifier.
Environment
- Library version:
okta-jwt-verifier = "^0.2.9"
- Python version: 3.13
- Okta configuration: OIDC with access tokens
Problem
The new
AccessTokenVerifierclass is missing Client ID validation that was present in the soon-to-be deprecatedJWTVerifier. This creates a security regression where tokens issued for other applications within the same Okta domain could potentially be accepted.Background
The deprecation warning has been present in the codebase for 4 years, so I'll tag @bretterer:
When trying to migrate to the new verifiers,
AccessTokenVerifierlacks critical security validation that was present inJWTVerifier.Current Behavior
Expected Behavior
AccessTokenVerifiershould include client ID validation to maintain the same security level asJWTVerifier(it currently has a stub string):Security Impact
Workaround
Currently requires manual client ID validation after
AccessTokenVerifier.verify():Request
Add
client_idparameter toAccessTokenVerifierconstructor and implement client ID validation in theverify()method to maintain security parity with the deprecatedJWTVerifier.Environment
okta-jwt-verifier = "^0.2.9"