Can't create a JWT using jsonwebtoken.dev

mraible · October 30, 2024, 5:29pm

I’m trying to use this documentation to create a JWT so I can read a list of users from Okta’s API using client credentials. When I submit the form values to generate a JWT, it results in the following error.

I realize I can use JJWT as a workaround, but that seems like a lot of work.

My use case is I’m trying to create an API integration in another system that uses client credentials to get a user. Ideally, the following would work (from these docs):

curl --request POST \
  --url https://dev-87506503.okta.com/oauth2/v1/token \
  --header 'Accept: application/json' \
  --header 'Authorization: Basic MG9...' \
  --header 'Cache-control: no-cache' \
  --header 'Content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&scope=okta.users.read'

Unfortunately, it results in the following error:

{"error":"invalid_client","error_description":"Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."}

andrea · October 30, 2024, 5:37pm

Hey @mraible! Can you provide a screenshot showing what you are providing to jsonwebtoken.dev when you try to use it to generate a JWT (censoring your private key, naturally!) I think I’ve encountered this issue before as well, but I believe the cause was due to some malformed JSON bodies being passed in

mraible · October 30, 2024, 5:44pm

I’m using the value returned from https://dev-87506503.okta.com/oauth2/v1/keys for the signing key. For the payload, I’m using:

{
    "aud": "https://dev-87506503.okta.com/oauth2/v1/token",
    "iss": "0oakriog6sNqa2Owb5d7",
    "sub": "0oakriog6sNqa2Owb5d7",
    "exp": "1730267241"
}

andrea · October 31, 2024, 3:31pm

Ah, that might be it then. While your payload looks good, you need to pass it a private key, not a public key, to sign the JWT, which is why you need to generate your own key pair for this purpose.

Luckily, you can let Okta generate a Public/Private key pair for you either within the UI or via API. You can then use the JWKS (for the public/private key) that Okta returns as your signing key and it will contain all the parts of a private key. Structure of this key is as follows:

{
	    "d": "***",
	    "p": "***",
	    "q": "***",
	    "dp": "***",
	    "dq": "***",
	    "qi": "***",
	    "kty": "RSA",
	    "e": "AQAB",
	    "kid": "***",
	    "n": "***"
	}

mraible · November 1, 2024, 7:20pm

Happy Friday, Andrea! I was able to generate a public/private key with the UI and successfully generated a signed JWT using https://www.jsonwebtoken.dev. I set this as a TOKEN environment variable, then tried to Get an access token as specified in the docs:

curl --location --request POST 'https://dev-87506503.okta.com/oauth2/v1/token' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'scope=okta.users.read' \
    --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
    --data-urlencode 'client_assertion=$TOKEN'

The response I get is:

{
  "errorCode": "invalid_client",
  "errorSummary": "A client_id must be provided in the request.",
  "errorLink": "invalid_client",
  "errorId": "oaeuwYwd_9ZQY6MxWgxAiBvzQ",
  "errorCauses": []
}

The client ID I used to generate the signed JWT is from the service app I created. Do the docs need to be updated or am I doing something wrong?

mraible · November 1, 2024, 7:30pm

If I don’t use $TOKEN in the curl command, and use the raw value instead, it works. Then, I can make a request to the /api/v1/users API with the returned access token and see users.

curl -i -X GET 'https://dev-87506503.okta.com/api/v1/users' \
  -H 'Authorization: Bearer ...' \
  -H 'Content-Type: string'

Thanks for all your help!

mraible · November 1, 2024, 7:50pm

Here are the HTTPie commands (for my own reference, since it’s my preferred HTTP client).

# Get an access token with a signed JWT
https --form POST dev-87506503.okta.com/oauth2/v1/token \
  'Accept: application/json' \
  grant_type=client_credentials \
  scope=okta.users.read \
  client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  client_assertion=$TOKEN

ACCESS_TOKEN=<returned value>

https dev-87506503.okta.com/api/v1/users Authorization:'Bearer '$ACCESS_TOKEN

system · November 22, 2024, 4:50pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Client authentication 'The client JWKSet is invalid.' Error OAuth/OIDC	4	1324	April 4, 2024
JWT authentication fails / app keys not in /oauth2/default/v1/keys Questions	3	6884	October 15, 2020
Getting invalid_client error with JWT-signed (Public/Private Key) on Custom Authorization Server OAuth/OIDC	1	50	February 6, 2025
Getting invalid_client when trying to get access token using token API OAuth/OIDC	8	10583	March 7, 2024
List users using token created from client credentials API	6	869	May 4, 2024

Can't create a JWT using jsonwebtoken.dev

Related topics