Daniel Comments - Answer Overflow

Topics

Daniel

Explore posts from servers

•Created by Daniel on 2/21/2025 in #💻┃support

Error verifying JWTs signed by Kinde from Next.js to Express API

I maybe came a bit longer now. I pass my access token from my client to my express backend API and there I use a third party library (jwks-rsa) to verify the token by using my kinde jwksUris. I now have come so far it invalidates the token due to missing audience. I have set up my API in Kinde and gave it an audience but the token is not containing this audience from client to backend. aud is []. I have authorized the api against the application in Kinde portal. If I would go to the API in Kinde and generate a token it actually contains aud but the token I get when authenticating in client is empty. Any guidance on this? Thanks.

3 replies

•Created by Daniel on 2/13/2025 in #💻┃support

Protect Next.js API Routes?

Hi @Ages and thank you so much for this. I will read through the links. Why I did not use withAuth for API routes was jsut because I could not get it to work for API calls from other clients. I maybe missed somehting.

7 replies

•Created by Daniel on 2/13/2025 in #💻┃support

Protect Next.js API Routes?

which indicates that the validation of jwt is not succeeding:

  try {
    // Verify the JWT token
    const decoded = jwt.verify(token, SECRET_KEY);
    console.log(decoded);
    // Attach decoded user data to the request
    (request as any).user = decoded;
    return null; // No need to return anything if token is valid
  } catch (error) {
    return NextResponse.json({ message: "Unauthorized: Invalid token" }, { status: 401 });
  }

  try {
    // Verify the JWT token
    const decoded = jwt.verify(token, SECRET_KEY);
    console.log(decoded);
    // Attach decoded user data to the request
    (request as any).user = decoded;
    return null; // No need to return anything if token is valid
  } catch (error) {
    return NextResponse.json({ message: "Unauthorized: Invalid token" }, { status: 401 });
  }

7 replies

•Created by Daniel on 2/13/2025 in #💻┃support

Protect Next.js API Routes?

I can see my bearer token in the log but I always get this in postman: { "message": "Unauthorized: Invalid token" }

7 replies

•Created by Daniel on 2/13/2025 in #💻┃support

Protect Next.js API Routes?

If it helps anyone to help me this is how my middleware look like now (where I have tried solving this challenge):

import { withAuth } from "@kinde-oss/kinde-auth-nextjs/middleware";
import { NextRequest, NextResponse } from "next/server";
import jwt from "jsonwebtoken"; // For JWT validation

const SECRET_KEY = process.env.KINDE_CLIENT_SECRET || "KINDE_CLIENT_SECRET"; // Your secret key

// JWT Validation for API routes
async function validateJwtToken(request: NextRequest) {
  const authHeader = request.headers.get("Authorization");

  console.log(authHeader);

  if (!authHeader || !authHeader.startsWith("Bearer ")) {
    console.log(authHeader)
    return NextResponse.json({ message: "Unauthorized: Missing or invalid token" }, { status: 401 });
  }

  const token = authHeader.split(" ")[1];

  try {
    // Verify the JWT token
    const decoded = jwt.verify(token, SECRET_KEY);
    console.log(decoded);
    // Attach decoded user data to the request
    (request as any).user = decoded;
    return null; // No need to return anything if token is valid
  } catch (error) {
    return NextResponse.json({ message: "Unauthorized: Invalid token" }, { status: 401 });
  }
}

export default async function middleware(req: NextRequest) {
  // Apply Kinde Auth to non-API routes
  if (!req.nextUrl.pathname.startsWith("/api/v1")) {
    return withAuth(req); // Continue with Kinde's authentication for non-API routes
  }

  // Apply JWT validation for API routes
  const jwtResponse = await validateJwtToken(req);
  if (jwtResponse) {
    return jwtResponse; // If the token is invalid, respond with Unauthorized
  }

  // If both checks pass, allow the API request to proceed
  return NextResponse.next();
}

export const config = {
  matcher: [
    // This will match all paths, allowing both non-API and API routes to be handled
    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
  ],
};

import { withAuth } from "@kinde-oss/kinde-auth-nextjs/middleware";
import { NextRequest, NextResponse } from "next/server";
import jwt from "jsonwebtoken"; // For JWT validation

const SECRET_KEY = process.env.KINDE_CLIENT_SECRET || "KINDE_CLIENT_SECRET"; // Your secret key

// JWT Validation for API routes
async function validateJwtToken(request: NextRequest) {
  const authHeader = request.headers.get("Authorization");

  console.log(authHeader);

  if (!authHeader || !authHeader.startsWith("Bearer ")) {
    console.log(authHeader)
    return NextResponse.json({ message: "Unauthorized: Missing or invalid token" }, { status: 401 });
  }

  const token = authHeader.split(" ")[1];

  try {
    // Verify the JWT token
    const decoded = jwt.verify(token, SECRET_KEY);
    console.log(decoded);
    // Attach decoded user data to the request
    (request as any).user = decoded;
    return null; // No need to return anything if token is valid
  } catch (error) {
    return NextResponse.json({ message: "Unauthorized: Invalid token" }, { status: 401 });
  }
}

export default async function middleware(req: NextRequest) {
  // Apply Kinde Auth to non-API routes
  if (!req.nextUrl.pathname.startsWith("/api/v1")) {
    return withAuth(req); // Continue with Kinde's authentication for non-API routes
  }

  // Apply JWT validation for API routes
  const jwtResponse = await validateJwtToken(req);
  if (jwtResponse) {
    return jwtResponse; // If the token is invalid, respond with Unauthorized
  }

  // If both checks pass, allow the API request to proceed
  return NextResponse.next();
}

export const config = {
  matcher: [
    // This will match all paths, allowing both non-API and API routes to be handled
    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
  ],
};

7 replies

•Created by TJ on 4/25/2024 in #💻┃support

Protect Next.js route handlers with machine-to-machine application?

Did you get a solution to this?

12 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

Thanks, I will try setting it to true directly and try again

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

No description

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

10 claims are being set but not User.Identity.Name

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

Could it be that it's not being set correctly, I will check that out as well

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

In the settings file I have, yes: "MapInboundClaims": true,

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

})
.AddCookie()
.AddOpenIdConnect(opt =>
{
    opt.SignedOutCallbackPath = new PathString("/signout-callback-oidc");
    opt.SignedOutRedirectUri = "/";
});

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

})
.AddCookie()
.AddOpenIdConnect(opt =>
{
    opt.SignedOutCallbackPath = new PathString("/signout-callback-oidc");
    opt.SignedOutRedirectUri = "/";
});

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

Could it be that i have misinterpreted the docs? I thought that was managed "automatically" by .NET Add Authentication

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync(); User = authState.User;

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

do you get a feeling what could cause User.Identity.Name to be null when successfully signed in?

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

It works like a charm. I am so grateful for your time

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

Thank you so much

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

first one in razor page and second in program.cs

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

app.MapPost("/auth/logout", async (HttpContext context) => { var returnUrl = context.Request.Form["ReturnUrl"].ToString(); await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme); var redirectUrl = string.IsNullOrEmpty(returnUrl) ? "/" : returnUrl; context.Response.Redirect(redirectUrl); });

47 replies

•Created by Daniel on 2/6/2025 in #💻┃support

Kinde & .NET Blazor Server?

I tried two ways: <form action="auth/logout" method="post"> <AntiforgeryToken /> <input type="hidden" name="ReturnUrl" value="@currentUrl" /> <button type="submit" class="dropdown-item notify-item"> <i class="ri-logout-box-line"></i> <span>Logout</span> </button> </form>

47 replies