Hello!
I was developing a login in our internal SPA using Okta to do that, I created a dev account to start meanwhile our IT team was configuring the Okta application.
I used as issuer the https://dev-{blabla}.okta.com/oauth2/default
and set up the frontend using the @okta/okta-auth-js:7.4.2
and the backend in golang with github.com/okta/okta-jwt-verifier-golang v1.3.1
. Everything was working well the login starts with the authClient.getWithRedirect(...)
I was receiving the access_token
and the id_token
, then getting the access token and sending it to the backend as a Bearer, then the backend properly configured with same issuer and client ID, was using the oktaVerifier.VerifyAccessToken
method which was resulting in success so in summary everything was working well…
Then IT team finally created the Okta application, so I set the issuer to our https://{company}.okta.com/oauth2/default
, I set the proper client ID, and soon I realised that the issuer should be set as https://{company}.okta.com
as frontend redirect was not working, after I changed it the redirect was working, but I was receiving an authorization error in my backend I checked the internals of the library and I realised that the access token is compared against two keys retrieved from the /oauth2/v1/keys
and none of those has the same key id as the access token kid
meanwhile the id token returned by the same redirect has the kid
matching one of the key ids, but I read that the id token should not be used in any case in the backend.
I can assure that the client id and the issuer are well set and are matching in both applications, but I cannot explain why now the access token cannot be validated in the backend, any help on this ?