Change signing certificate,

Bazzaa · September 3, 2021, 9:19pm

My app uses OpenID Connect.
I created the certificate, then updated the app to use newly created kid using /credentials/keys. What I expect is that /keys?client_id={id} endpoint returns a key with kid equals to what I’ve created and tokens are signed/verified with a private/public key pair OKTA created for me as result of that certificate update. But /keys contains absolutely different kids and token validation fails.

What is wrong here? Maybe I’m misunderstanding the purpose of /credentials/keys? Maybe it would work ok only in certain context?

Documentaton says:
Note: When using a Custom Authorization Server, you may work with a client that can’t call the /keys endpoint to dynamically fetch the JWKS. You can pin that specific client to a specific key by generating a key credential and updating the application to use it for signing. This overrides the Custom AS rollover/pinning behavior for that client. Should you need to turn off automatic key rotation for the entire Custom Authorization Server, you can do that by switching the Signing Key Rotation value to Manual in the Admin Console.

Appreciate any help, thank you!

andrea · September 3, 2021, 9:45pm

Are you trying to validate Access Tokens issued by the Org Authorization Server (issuer = https://org.okta.com)?

Bazzaa · September 3, 2021, 9:56pm

No, issuer is https://dev-19951857.okta.com/oauth2/default. Also /default/v1/keys?client_id={} does not reflect changes I did creating and updating certificate.

Bazzaa · September 4, 2021, 8:27am

In fact the certificate update works well with https://dev-19951857.okta.com/oauth2 and https://dev-19951857.okta.com/oauth2/v1/keys?client_id={id} returns expected kid and I’m able to verify signed token by using that key. Given that Manual Rotation for application is enabled (it is disabled by default).

But I expect same behaviour for https://dev-19951857.okta.com/oauth2/default. https://dev-19951857.okta.com/oauth2/default/v1/keys?client_id={id} returns different key set. How to make it possible for default auth server to apply the keys provided with certificate while signing tokens?

andrea · September 24, 2021, 12:15am

Are you saying the keys for the default server (issuer = https://org.okta.com/oauth2/default) vary from the ones for the Org server (issuer = https://org.okta.com)?

Post		Replies	Views
Manual Key rotation Questions	3	3281	January 31, 2022
Rotate JWKS public/private keypair on Service App Questions java	4	3238	August 26, 2021
How to rotate public/private key pair using client credentials grant flow? Questions	14	5243	January 22, 2021
Kid in OIDC JWT doesn't match any in jwks_uri OAuth/OIDC	6	347	November 1, 2024
Is it possible to change/update JWKs in an APP? how? Questions	2	3289	February 6, 2024

Change signing certificate,

Related topics