Bearer error="invalid_token"

We’re using the okta spring boot starter. If we use the swagger-ui page, everything works as expected, I’m able to access the api, get data, and the Open ID Connect information is valid. However, we’re unable to curl our api using the id token received by spring.

For debugging I have a rest api that returns the id token Spring received and which worked successfully within swagger. It looks like this:

public String getJwt(@AuthenticationPrincipal OidcUser user) {
String token = user.getIdToken().getTokenValue();
return token;
}

Calling this returns an IdToken. If I use that token and attempt the curl the api:
curl --verbose -X GET “http://localhost:8080/swagger-ui.html” -H “accept: /” -H “Authorization: Bearer ${IdToken}”

I get 2 different error messages (it’s nondeterministic).

  1. Bearer error=“invalid_token”, error_description="An error occurred while attempting to decode the Jwt: This aud claim is not equal to the configured audience

Now I can take the id token received and parse it using https://www.jsonwebtoken.io/ It looks healthy and it should because it was just successfully validated by the api before being returned.

We see it has an audience “aud” exactly equal to the client Id of the api.

  1. Bearer error=“invalid_token”, error_description=“An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found”

This would seem to apply to the header of the jwt:

{
“typ”: “JWT”,
“alg”: “RS256”,
“kid”: “9CKQSi4BLrnuJjwX1w9eUckaDB_JfaGa9D5cOfVGKa4”
}

In both cases it seems the idToken given to me by Spring on successful calls isn’t usable by curl or other apis for some reason. We get the same errors when we try to call the Spring service from our JavaScript and Android apps as I do using curl.

Again this is with an absolute minimum of configuration of the okta-spring-boot-starter which works through my browser on the swagger ui. I’d like to know how swagger is making the call but I can’t figure out how to pull that information out of the chrome debugger either due to cookie indirection.

Seeing a similar problem passing a JWT through Postman & it responds Bearer error=“invalid_token”. Did you resolve this?

It looks like the Spring Boot starter is looking for the access token and not the id token.

Okta’s Spring Security integration will parse the JWT access token from the HTTP request’s Authorization: Bearer header value.

@andrew.rands Are you seeing the error when using the access token or id token?