AccessToken verification

Hi,

I have a question about verifying an access token. I can use the jwks endpoint to retrieve the correct key for the ID Token, but the access token is signed by an unpublished key. Is this intentional? If not where can I get the correct key?

Testcase:
curl -d "grant_type=password&scope=openid&…removed… https://xxx.okta.com/oauth2/v1/token

id_token signed with kid ‘X’ found in key set at https://xxx.okta.com/oauth2/v1/keys
However access_token signed with a key not found in key set.

you are probably running into the behavior detailed on Okta Help Center (Lightning)

the access tokens minted by the org authorization server cannot be validated locally

1 Like

Thank you. I’m not sure how I missed that since the documentation is fairly clear on local verification. I must have not been looking in the right place.

Using a custom authorization server gets me further but my application requires a userinfo endpoint. The Authorization server does not seem to have one specified in the metadata, but it seems to be supported if I craft the right URL. I could not see any configuration items to control the content of the metadata/discovery document.

userinfo is a OIDC specific item and it is only returned in the OIDC metadata, specific to the ID token, not in the OAuth metadata, specific to the access token