K
Kinde•5mo ago
vitaminDFishInThaSea

JwtInvalidIssuerError: Missing Issuer. Expected:

I am using the jwtVerify function and I am getting the error in the title. I am passing in the following things, which are definitely not null: issuerBaseUrl in the first parameter, and then in the second parameter I pass an option that looks like this: 
{
    issuerBaseUrl: config.issuerBaseUrl,
    secret: config.clientSecret!,
    clientId: config.clientId!,
    grantType: "AUTHORIZATION_CODE"
}
{
    issuerBaseUrl: config.issuerBaseUrl,
    secret: config.clientSecret!,
    clientId: config.clientId!,
    grantType: "AUTHORIZATION_CODE"
}
I still get this failedAssertion: 
 failedAssertion: { actual: undefined, expected: [ 'MYKINDESITE.kinde.com' ] }
 failedAssertion: { actual: undefined, expected: [ 'MYKINDESITE.kinde.com' ] }
I am using the access token from the frontend, which it gets via a generic OIDC client. My tokens look like this: 
{
  "aud": [],
  "iat": 1706383810,
  "jti": "5848e275-911a-4fcf-a7f0-dbf30a920fee",
  "scp": []
}
{
  "aud": [],
  "iat": 1706383810,
  "jti": "5848e275-911a-4fcf-a7f0-dbf30a920fee",
  "scp": []
}
I'm stuck and I think I'm confused. Am I using the wrong kind of token? Do I have something misconfigured somewhere?
6 Replies
vitaminDFishInThaSea
vitaminDFishInThaSea•5mo ago
My biggest gripe is that this jwtVerify function seems to be undocumented. OK so i've been forced to send the id_token. How come? is there some middleware that would work with just the access token?! I've been reocmmended to not send id tokens on a normal request. But sending the access token I just get that error. What can I possibly do? In addition, in the Kinde dashboard i setup my access token to have my users email. That isn't appearing in my latest tokens: 
{
    "aud": [],
    "iat": 1706387738,
    "jti": "582342bb-51cc-4449-951f-f4f9aba03374",
    "scp": [
        "openid",
        "profile",
        "email",
        "offline"
    ]
}
{
    "aud": [],
    "iat": 1706387738,
    "jti": "582342bb-51cc-4449-951f-f4f9aba03374",
    "scp": [
        "openid",
        "profile",
        "email",
        "offline"
    ]
}
halp 😦
onderay
onderay•5mo ago
Hey @snusguy123 sorry you are experincing this. What Kinde SDK are you using? Either way, the error message indicates that the actual issuer of the token is undefined, while the expected issuer is 'MYKINDESITE.kinde.com'. The issuer of the token is usually specified in the 'iss' field of the JWT. From the token content you've provided, it seems like the 'iss' field is missing. This could be the reason why you're getting an undefined issuer error. The 'aud' field in your token is also empty. This field usually contains the audience that the token is intended for. If you're using this token to authenticate against a specific API or service, you should ensure that the audience of the token matches the identifier of the API or service. If you're using Kinde's SDKs, you should ensure that the issuerBaseUrl, clientId, and clientSecret are correctly configured. The issuerBaseUrl should match the domain of your Kinde instance, and the clientId and clientSecret should match the credentials of your application in Kinde. If you're not sure about the structure of the JWTs issued by Kinde, you can refer to the Access tokens documentation. It provides an example of a typical access token issued by Kinde, which includes the 'iss' and 'aud' fields.
vitaminDFishInThaSea
vitaminDFishInThaSea•5mo ago
I am using the access token that is returned from my kinde login via an OIDC client. The reason i posted it here is because kinde creates this token. I know the ISS is missing - i just have to kniw why the access token that Kinde gives me doesnt have one. The token is created by createSignInResponse of the oidc-client-ts package. so after using a different app in kinde, specifically a frontend javascript one, i am able to get my ISS and everything filled in...
vitaminDFishInThaSea
vitaminDFishInThaSea•5mo ago
No description
onderay
onderay•5mo ago
Is everything resolved for you now? Or is your app not built with JS?
vitaminDFishInThaSea
vitaminDFishInThaSea•5mo ago
This does resolve it but lemme play around for a bit longer. Basically the backend apps in Kinde seem to make some tokens that arent usable with jwtverify. This isnt really documented AFAIK.
Want results from more Discord servers?
Add your server
More Posts
create user account failshi all, should i be able to do a fetch in node for create user, i'm using the example in docs, but iBilling is integration with Stripe?I just made an account with Kinde and saw the billing page. I am curious if this means you guys are How to switch organization for apps in the Kinde dashboard?Kinde Dashboard Querycan i control the number of sessions using kinde authI want to make sure that only one person stays logged in. If someone logs into a new device, the oldSveltekit starter return errorCode: ''INVALID_TOKEN_MEMORY_COMIT"Hi, i'm just new on Kinde and i create sveltkit project using Kinde starter kit. When i've signed upIs it possible to merge username & password fields into one page?Hi Kinde Team, is it possible to merge username and password fields into one page? My client don't wi want to make a api call with userId after a new user is registered how do I do that using nextjsI have next year 13 application with app directory. Now I want to make an API call whenever new user[NextJS 14] User session returns null in API route, when user is already authenticated from callerTrying to understand what I'm doing wrong here: I have a component that calls an api route on a butTrying to get the user session in server side Next.js v14 pages directory, always returns nullI'm pretty sure I might have screwed something up in the setup, but the docs for setting up the provCan the PKCE access token be used to authenticate/authorize requestsHi, I am currently using clerk with a chrome extension. I want to switch to a service that supports