Skip to content

chore(backend): Reject OAuth JWTs for session token token type#7765

Merged
wobsoriano merged 6 commits intomainfrom
rob/fix-oauth-jwt-core3
Feb 4, 2026
Merged

chore(backend): Reject OAuth JWTs for session token token type#7765
wobsoriano merged 6 commits intomainfrom
rob/fix-oauth-jwt-core3

Conversation

@wobsoriano
Copy link
Member

@wobsoriano wobsoriano commented Feb 4, 2026
edited by coderabbitai bot
Loading

Description

Improves token type validation by ensuring OAuth JWTs are properly rejected when acceptsToken is set to 'session_token' (default).

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

Release Notes

  • Bug Fixes

    • Improved token type validation in authentication requests to prevent OAuth tokens from being incorrectly accepted as session tokens.

  • Tests

    • Added test coverage to verify that OAuth tokens are properly rejected when session tokens are expected.

@vercel
Copy link

vercel bot commented Feb 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Feb 4, 2026 7:59pm

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Feb 4, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 766bc68

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@clerk/backend Patch
@clerk/agent-toolkit Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

wobsoriano
wobsoriano commented Feb 4, 2026
View reviewed changes
integration/tests/machine-auth/oauth.test.ts

await app.setup();
await app.withEnv(appConfigs.envs.withEmailCodes);
await app.withEnv(appConfigs.envs.withAPIKeys);
Copy link
Member Author

@wobsoriano wobsoriano Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use the withAPIKeys env for machine auth related tests.

OAuth applications use JWT access tokens here.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request improves token type validation in the authentication system. A new check is added to reject OAuth JWTs when they appear in the Authorization header but a session token is expected. The implementation includes adding an isOAuthJwt verification in the token request handler, a corresponding test case verifying that OAuth JWTs are rejected with a TokenTypeMismatch reason, and an update to the OAuth machine auth test configuration from Email Codes to API Keys. A changeset file documents the patch-level version bump for the backend package.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding validation to reject OAuth JWTs when session tokens are expected, which is the primary focus of the changeset across tests and implementation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

wobsoriano
wobsoriano commented Feb 4, 2026
View reviewed changes
packages/backend/src/tokens/request.ts
Comment on lines +418 to +425
if (isOAuthJwt(tokenInHeader!)) {
return signedOut({
tokenType: TokenType.SessionToken,
authenticateContext,
reason: AuthErrorReason.TokenTypeMismatch,
message: '',
});
}
Copy link
Member Author

@wobsoriano wobsoriano Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isOAuthJwt uses verifyToken under the hood, but also checks if it is a valid OAuth JWT access token based on rfc9068

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 4, 2026

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7765

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7765

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7765

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7765

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7765

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7765

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7765

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7765

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7765

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7765

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7765

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7765

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7765

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7765

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7765

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7765

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7765

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7765

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7765

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7765

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7765

commit: 766bc68

@wobsoriano wobsoriano merged commit 0aff70e into main Feb 4, 2026
41 checks passed
@wobsoriano wobsoriano deleted the rob/fix-oauth-jwt-core3 branch February 4, 2026 23:39
nikosdouvlis pushed a commit that referenced this pull request Feb 12, 2026
@wobsoriano @nikosdouvlis
chore(backend): Reject OAuth JWTs for session token token type (#7765)
d5fd9d0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmilewski tmilewski tmilewski approved these changes

Assignees

No one assigned

Labels

backend core-3 integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wobsoriano @tmilewski