Client authentication 'The client JWKSet is invalid.' Error

Questions OAuth/OIDC
1

Hello,

I am using Client authentication with JWT private key.
I am trying to request a token using

curl --location --request POST 'https://dev-xxxxxxxx.okta.com/oauth2/default/v1/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' --data-urlencode 'scope=sample'  --data-urlencode 'client_assertion=<signed_jwt_token>'

and getting

{"error":"invalid_client","error_description":"The client JWKSet is invalid."}

For the application client ID: 0oafjf3kufB7woz6P5d7
When I access, /api/v1/apps/0oafjvhxp5OJeGRku5d7
I see under response.settings.oauthClient.jwks.keys the public certificate I have uploaded.

However, under the well known URL https://dev-xxxxxxxx.okta.com/oauth2/v1/keys I dont see the same keys I uploaded in the application.

corresponding log that I see

Screenshot 2024-03-05 at 2.49.17 PM
Screenshot 2024-03-05 at 2.49.17 PM1000×521 42.4 KB

Not sure if I have something setup incorrectly or anything like that.
Appreciate any pointers.

2

Also while looking at similar posts I saw

I checked the endpoint of my application and can confirm I see the certificate under jwks.keys
oauth2/v1/clients/0oafjf3kufB7woz6P5d7

3

@igagansingh could you please ensure that you have the correct crv parameter specified in the registered JWKS for your client?
Additionally if you are comfortable with this could you share the actual public key value that you currently have configured with me either- here or via DM? I can create an internal ticket to ensure that the reporting is more helpful in scenarios like this.

1 Like
4

@dzeller
I am new here so I guess I dont see any DM options.
I can share the keys here I have created them using keystore explorer and converted them in JWK format using https://pem2jwk.vercel.app/

This is from the /oauth2/v1/clients/0oafjf3kufB7woz6P5d7 endpoint

            {
                "kty": "EC",
                "id": "pksfjf4s28IsQegiN5d7",
                "alg": "ES256",
                "kid": "3a3b66106fec35fb7345b",
                "use": "sig",
                "x": "6cwAP9jd5thohzmxYAnlcMf1BfwtZqtHx7p1ZD6qOk4",
                "y": "v8QJadxeGxv8GSbbp6-y9tYEoQHXfLhZ35gH-FV61J4",
                "crv": "p256"
            }

Thank you for the quick response and help.
I am not a 100% familiar with the ECSDA algorithms.

Also idk if this will be helpful but I am using JWT.io to get the JWT token.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.