Mocking OneLogin with WireMock for Next-Auth #464

stychu · 2022-10-20T11:07:24Z

stychu
Oct 20, 2022

Hello there, I'm trying to setup a mocked OneLogin server (WireMock) with hardcoded login flow for my nextjs app with Next-Auth.
I've hit a wall when I submit credentials on my fake OneLogin form and it returns me back to my nextjs app and tries to verify token_id.

failed to validate JWT signature

Is it possible to generate a valid JWT so that I can hardcode it in responses from my fake server to be used by nextjs app in development?

I can't get it working so it matches the signatures and allows the flow to work.

Here are my config for OneLogin fake endpoints

{
  "request": {
    "method": "GET",
    "url": "/oidc/2/certs"
  },
  "response": {
    "status": 200,
    "headers": {
      "Content-Type": "application/json; charset=utf-8"
    },
    "jsonBody": {
      "keys": [
        {
          "alg": "RS256",
          "kty": "RSA",
          "use": "sig",
          "n": "1Tk8chAhEpJ5pyNF4gE4LRS92vibT5xNdLzOTfvlI-oMGYa06vpoz2--cKF4OrpNf-jNwCZRrJKk8xIK0XiyuJ3NCgswVp98ANknV3hkD1yR0WHB9FQiAJAADbJCdzrLUSTybIZi6GUJ6fZ21_WvkzO4xTfAodkUcTd28OpACmTvAO5EsgNShbC-CrgqXRYrjLK8s9Hl05UTFyeZfisK18nbPgxk1ujs5ST1L8Lm1cTJiiNdrOdsmkmRD4IobTqJ8bF4cNBF9Y2Pzk-pIXhIKHIGR2EfXrBwX-oQjOvE41w8jugLR70h1GHzIa3cQGYIVLcC1tGxJBu5y8TRy_o2aQ",
          "e": "AQAB",
          "kid": "CP80rcw95YDG4SKq2nzTA",
          "x5t": "6nZE-AEhnhiCgFCanactdgD5Glw",
          "x5c": [
            "MIIDHTCCAgWgAwIBAgIJMbzzF7ilNN6uMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNVBAMTIWRldi1rZnhpeWtpMzZrY2Mza2lmLmV1LmF1dGgwLmNvbTAeFw0yMjEwMTgyMjM2MDhaFw0zNjA2MjYyMjM2MDhaMCwxKjAoBgNVBAMTIWRldi1rZnhpeWtpMzZrY2Mza2lmLmV1LmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU5PHIQIRKSeacjReIBOC0Uvdr4m0+cTXS8zk375SPqDBmGtOr6aM9vvnCheDq6TX/ozcAmUaySpPMSCtF4sridzQoLMFaffADZJ1d4ZA9ckdFhwfRUIgCQAA2yQnc6y1Ek8myGYuhlCen2dtf1r5MzuMU3wKHZFHE3dvDqQApk7wDuRLIDUoWwvgq4Kl0WK4yyvLPR5dOVExcnmX4rCtfJ2z4MZNbo7OUk9S/C5tXEyYojXaznbJpJkQ+CKG06ifGxeHDQRfWNj85PqSF4SChyBkdhH16wcF/qEIzrxONcPI7oC0e9IdRh8yGt3EBmCFS3AtbRsSQbucvE0cv6NmkCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7wptXIUucD2ghxuMF+rlwYr+52AwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQAac9dLqW2gbPlOw//zwIPmcLl6EbO+Xa59ZwZpHHm0c245gxezNIpK3cGTB6CQPRZkSX9sQBwqjI6iKeMJLQMer/LLUGsQLFIzZ30jNiCVY3e3HeLEMQL6wcrp2w6zX94j9ssED7mJp+23+izGBNqznekw7pt+YVJjNEe4DfuZmadsJhzMOOz0N++gCWKeYsrGh2cUHzYATLergnhzxghLltYhfX/N8yYgyOpoHD5BG8R9bFWoFHlFk1xw39MY7/cyUl9QE3HNz2onAF0t7M0/GIYHr60vnT0W8NAdsuR81Bj/oslq5F+Sn9fZNBURaCKsMztObLErpcKh0yit95g8"
          ]
        }
      ]
    }
  }
}

{
  "request": {
    "method": "POST",
    "url": "/oidc/2/token",
    "headers": {
      "Content-Type": {
        "equalTo": "application/x-www-form-urlencoded"
      }
    },
    "bodyPatterns": [
      {
        "contains": "code=admin-code"
      },
      {
        "contains": "redirect_uri="
      },
      {
        "contains": "grant_type=authorization_code"
      }
    ]
  },
  "response": {
    "status": 200,
    "headers": {
      "Content-Type": "application/json; charset=utf-8"
    },
    "jsonBody": {
      "access_token": "...",
      "expires_in": 3600,
      "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkNQODByY3c5NVlERzRTS3EybnpUQSJ9.eyJuaWNrbmFtZSI6InRlc3QiLCJuYW1lIjoidGVzdEB0ZXN0LmNvbSIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29tL2F2YXRhci9iNjQyYjQyMTdiMzRiMWU4ZDNiZDkxNWZjNjVjNDQ1Mj9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRnRlLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIyLTEwLTE5VDA3OjExOjI4LjY0MVoiLCJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6Mjc0NDIvb2lkYy8yIiwic3ViIjoiYXV0aDB8NjM0ZmEzMjBhMDYxYTI3MmUxOTNhYWQ0IiwiYXVkIjoic29tZS1jbGllbnQtaWQiLCJpYXQiOjE2NjYyNTk1MDUsImV4cCI6MjU1NDQxNjAwMCwic2lkIjoiNnNGeW9vT3hZME9vTHRwX1R2amNoMGpBYkZFc3BvZnoifQ.TtfvVrd_QuoO3FLqQcQ4mbTkl2z3cJPpSTEmNTKT95etRxugnWMhkXyt9PwOVpWoFh1Ol477e494_ZkCRkoIIFegCYecI87XWEyEWZRqpEE973fLzXz1XWngw9s2osOt0tCFCDj7QX9j1ZchNxmD40L0Z9zui3OEDbs9h2JrCEKgKTdWBU9RDamGfmzsQx362WldWYSzsPhcmbu4fFLrE_nxVQskRCzX9MCRyBxOcsyNgThxhhnHMWKEhrbujQlumxd123YgTB0P3uWlIMtvGUyCFmwXVwWqISOGWbLJvMT9pGo4wYf84dIj2BScaZC7QsuF3m20p1_2f05XcXZFaQ",
      "refresh_token": "...",
      "scope": "openid groups",
      "token_type": "Bearer"
    }
  }
}

I'm no expert with signing/validating methods but as far as I understand, I should be able to match the id_token to be verified by the sign key without actively generating signed jwt tokens. Is that correct?
The problem I have is how to actually generate such key and jwt token so they can be verified and hardcoded in my fake OneLogin server??

Answered by panva

Oct 20, 2022

@stychu this belongs to next-auth

View full answer

panva · 2022-10-20T11:29:25Z

panva
Oct 20, 2022
Maintainer

@stychu this belongs to next-auth

4 replies

stychu Oct 20, 2022
Author

@panva Thanks for quick response! Despite that my stack includes next-auth the line I fail with is await jose.compactVerify(jwt, key instanceof Uint8Array ? key : key.keyObject) so I believe this does fall under jose lib right rather than next-auth? Don't want to be rude or something so apologise if I sound rude ;)

Despite that, I feel that your knowledge and experience is far more superior and my problem case is near finding a solution.

Would you mind pointing me out how I could generate /oidc/2/certs key response so it could match and verify the token?? Can I use https://jwt.io/ for that? Is it the public key that I need? If so how I can decode it to the /oidc/2/certs format.

I would appreciate any help Im fighting with this already for 3 days :(

panva Oct 20, 2022
Maintainer

@stychu if you want to mock authentication done for you by next-auth, you should to look into mocking next-auth, not the underlying libraries it necessarily uses.

cc @balazsorban44

balazsorban44 Oct 20, 2022
Sponsor

@stychu You might want to check out this library: https://github.com/TomFreudenberg/next-auth-mock (haven't tested myself but seems to fit your use case)

Regarding further issues/comments about this, please head over to https://github.com/nextauthjs/next-auth instead.

stychu Oct 20, 2022
Author

Thank you @panva @balazsorban44 Really appreciate! Will look into this one

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Mocking OneLogin with WireMock for Next-Auth #464

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Mocking OneLogin with WireMock for Next-Auth #464

Uh oh!

stychu Oct 20, 2022

Replies: 1 comment · 4 replies

Uh oh!

panva Oct 20, 2022 Maintainer

Uh oh!

Uh oh!

stychu Oct 20, 2022 Author

Uh oh!

panva Oct 20, 2022 Maintainer

Uh oh!

balazsorban44 Oct 20, 2022 Sponsor

Uh oh!

stychu Oct 20, 2022 Author

stychu
Oct 20, 2022

Replies: 1 comment 4 replies

panva
Oct 20, 2022
Maintainer

stychu Oct 20, 2022
Author

panva Oct 20, 2022
Maintainer

balazsorban44 Oct 20, 2022
Sponsor

stychu Oct 20, 2022
Author