Bearer error="invalid_token"

mjonas · June 9, 2020, 1:44am

We’re using the okta spring boot starter. If we use the swagger-ui page, everything works as expected, I’m able to access the api, get data, and the Open ID Connect information is valid. However, we’re unable to curl our api using the id token received by spring.

For debugging I have a rest api that returns the id token Spring received and which worked successfully within swagger. It looks like this:

public String getJwt(@AuthenticationPrincipal OidcUser user) {
String token = user.getIdToken().getTokenValue();
return token;
}

Calling this returns an IdToken. If I use that token and attempt the curl the api:
curl --verbose -X GET “http://localhost:8080/swagger-ui.html” -H “accept: /” -H “Authorization: Bearer ${IdToken}”

I get 2 different error messages (it’s nondeterministic).

Bearer error=“invalid_token”, error_description="An error occurred while attempting to decode the Jwt: This aud claim is not equal to the configured audience

Now I can take the id token received and parse it using https://www.jsonwebtoken.io/ It looks healthy and it should because it was just successfully validated by the api before being returned.

We see it has an audience “aud” exactly equal to the client Id of the api.

Bearer error=“invalid_token”, error_description=“An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found”

This would seem to apply to the header of the jwt:

{
“typ”: “JWT”,
“alg”: “RS256”,
“kid”: “9CKQSi4BLrnuJjwX1w9eUckaDB_JfaGa9D5cOfVGKa4”
}

In both cases it seems the idToken given to me by Spring on successful calls isn’t usable by curl or other apis for some reason. We get the same errors when we try to call the Spring service from our JavaScript and Android apps as I do using curl.

Again this is with an absolute minimum of configuration of the okta-spring-boot-starter which works through my browser on the swagger ui. I’d like to know how swagger is making the call but I can’t figure out how to pull that information out of the chrome debugger either due to cookie indirection.

andrew.rands · October 27, 2020, 9:09pm

Seeing a similar problem passing a JWT through Postman & it responds Bearer error=“invalid_token”. Did you resolve this?

warren · October 27, 2020, 9:16pm

It looks like the Spring Boot starter is looking for the access token and not the id token.

Okta’s Spring Security integration will parse the JWT access token from the HTTP request’s Authorization: Bearer header value.

@andrew.rands Are you seeing the error when using the access token or id token?

system · January 25, 2024, 12:53am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Bearer error="invalid_token" This aud claim is not equal to the configured aud ience" OAuth/OIDC	2	20542	February 19, 2019
Getting "Invalid JOSE Header kid" error Questions	16	15212	November 8, 2018
Getting invalid_token on okta spring boot 2 and Angular 7 Questions	9	15832	April 15, 2020
Invalid_id_token received with Authorization Code Flow Questions	1	4071	January 23, 2024
Invalid token, aud did not match expected api://default Questions	3	10626	December 12, 2018

Bearer error="invalid_token"

Related topics