Access token key not returned by /oauth2/v1/keys


I was developing a login in our internal SPA using Okta to do that, I created a dev account to start meanwhile our IT team was configuring the Okta application.

I used as issuer the https://dev-{blabla} and set up the frontend using the @okta/okta-auth-js:7.4.2 and the backend in golang with v1.3.1. Everything was working well the login starts with the authClient.getWithRedirect(...) I was receiving the access_token and the id_token, then getting the access token and sending it to the backend as a Bearer, then the backend properly configured with same issuer and client ID, was using the oktaVerifier.VerifyAccessToken method which was resulting in success so in summary everything was working well…

Then IT team finally created the Okta application, so I set the issuer to our https://{company}, I set the proper client ID, and soon I realised that the issuer should be set as https://{company} as frontend redirect was not working, after I changed it the redirect was working, but I was receiving an authorization error in my backend I checked the internals of the library and I realised that the access token is compared against two keys retrieved from the /oauth2/v1/keys and none of those has the same key id as the access token kid meanwhile the id token returned by the same redirect has the kid matching one of the key ids, but I read that the id token should not be used in any case in the backend.

I can assure that the client id and the issuer are well set and are matching in both applications, but I cannot explain why now the access token cannot be validated in the backend, any help on this :pray:?

This is related to: Okta Help Center (Lightning), the API Access Management feature must be used in order to be able to use access tokens in Okta, IMO is a very opaque thing that should be pointed in more places.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.