Kinde
Join the DiscordJoin the Slack

Welcome to the Kinde community.

A
A
A
M
T
Join

JwtInvalidIssuerError: Missing Issuer. Expected:

GGlobalSystemMediaTransportContro
I am using the jwtVerify function and I am getting the error in the title.

I am passing in the following things, which are definitely not null:

issuerBaseUrl in the first parameter, and then in the second parameter I pass an option that looks like this:

Plain Text
{
    issuerBaseUrl: config.issuerBaseUrl,
    secret: config.clientSecret!,
    clientId: config.clientId!,
    grantType: "AUTHORIZATION_CODE"
}


I still get this failedAssertion:

Plain Text
 failedAssertion: { actual: undefined, expected: [ 'MYKINDESITE.kinde.com' ] }


I am using the access token from the frontend, which it gets via a generic OIDC client. My tokens look like this:

Plain Text
{
  "aud": [],
  "iat": 1706383810,
  "jti": "5848e275-911a-4fcf-a7f0-dbf30a920fee",
  "scp": []
}


I'm stuck and I think I'm confused. Am I using the wrong kind of token? Do I have something misconfigured somewhere?
G
A
12 comments
GGlobalSystemMediaTransportContro
My biggest gripe is that this jwtVerify function seems to be undocumented.
GGlobalSystemMediaTransportContro
OK so i've been forced to send the id_token. How come? is there some middleware that would work with just the access token?!
GGlobalSystemMediaTransportContro
I've been reocmmended to not send id tokens on a normal request. But sending the access token I just get that error. What can I possibly do?

In addition, in the Kinde dashboard i setup my access token to have my users email. That isn't appearing in my latest tokens:

Plain Text
{
    "aud": [],
    "iat": 1706387738,
    "jti": "582342bb-51cc-4449-951f-f4f9aba03374",
    "scp": [
        "openid",
        "profile",
        "email",
        "offline"
    ]
}


halp 😦
AAndre @ Kinde
Hey @GlobalSystemMediaTransportContro sorry you are experincing this. What Kinde SDK are you using?
AAndre @ Kinde
Either way, the error message indicates that the actual issuer of the token is undefined, while the expected issuer is 'MYKINDESITE.kinde.com'.

The issuer of the token is usually specified in the 'iss' field of the JWT. From the token content you've provided, it seems like the 'iss' field is missing. This could be the reason why you're getting an undefined issuer error.

The 'aud' field in your token is also empty. This field usually contains the audience that the token is intended for. If you're using this token to authenticate against a specific API or service, you should ensure that the audience of the token matches the identifier of the API or service.

If you're using Kinde's SDKs, you should ensure that the issuerBaseUrl, clientId, and clientSecret are correctly configured. The issuerBaseUrl should match the domain of your Kinde instance, and the clientId and clientSecret should match the credentials of your application in Kinde.

If you're not sure about the structure of the JWTs issued by Kinde, you can refer to the Access tokens documentation. It provides an example of a typical access token issued by Kinde, which includes the 'iss' and 'aud' fields.
GGlobalSystemMediaTransportContro
I am using the access token that is returned from my kinde login via an OIDC client.
GGlobalSystemMediaTransportContro
The reason i posted it here is because kinde creates this token. I know the ISS is missing - i just have to kniw why the access token that Kinde gives me doesnt have one.
GGlobalSystemMediaTransportContro
The token is created by createSignInResponse of the oidc-client-ts package.
GGlobalSystemMediaTransportContro
so after using a different app in kinde, specifically a frontend javascript one, i am able to get my ISS and everything filled in...
GGlobalSystemMediaTransportContro
Attachment
image.png
AAndre @ Kinde
Is everything resolved for you now? Or is your app not built with JS?
GGlobalSystemMediaTransportContro
This does resolve it but lemme play around for a bit longer.

Basically the backend apps in Kinde seem to make some tokens that arent usable with jwtverify. This isnt really documented AFAIK.
Add a reply
Sign up and join the conversation on Discord
Join