Consumption of JWT

Hi Team,

Okta is requesting for the JWT and the system is giving the response in this format:

“access_token”: “eyJraWQiOiJiN2RlMDk3Mi…37Lpw”,
“refresh_token”: “eyJraWQiO…37Lpw”,
“scope”: “openid profile”,
“state”: “U3FFeERpS0l2OGZH…tjeWtWOGxOOA”,
“token_type”: “Bearer”,
“expires_in”: 172800

Here JWT is included in the “access_token” key. But after the JWT call,Okta should call JWKS endpoint.But that is not happening.I have confirmed this from my server side.

At the okta system log “invalid_state” error is coming. It is a generic error.We are not able to see what exactly is happening at the Okta side when we are responding with that response.No error is coming at our server side after sending the response.

“invalid_state” error is coming in the okta logs

What maybe the reason for this?
Is the response structure wrong ? we are just sending that response in the json form
Do we need to send anything else with the response other that JSON response?

I hope someone will help us to rectify this issue

Can you clarify what you’re working on? Is this an external OpenID Connect Identity Provider that you have added to Okta?

Yes. Okta system will request for the JWT and our system will provide the JWT as the response in the format which I have mentioned before

@Jeffin789 please confirm the endpoints you have provided to Okta and where? Just to confirm, is this an external IDP setup per @andrea’s response?

@sigama @andrea

Please find the image for the configurations

Token endpoint: url for getting the JWT from our system
JWKS Endpoint: to get the keys for verifying JWT

This image is pretty cropped, so its hard to tell which section of the console you are in. Can you specify how you got to this page within the Admin Console?

From this link we can reach that configuration section:

In this page,the configurations lies in Endpoints section

And our logs show an invalid_state error, which makes me wonder if there is an issue with how your OIDC server is handling the state parameter that would have been included in /authorize request. Can you confirm if your server then returns that same state parameter when redirecting back to the redirect_uri with the Authorization Code?

This is the curl request sent by the Okta for JWT .But this does not contain any state variables:

curl --location ‘https://ipaddress/api/middleware/v1.0/jwtRequest
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=authorization_code’
–data-urlencode ‘code=94b9c3edcbgdhd7677c6855acd7e36348211125cfb2’
–data-urlencode ‘redirect_uri=
–data-urlencode ‘client_id=sample_clientId’
–data-urlencode ‘client_secret=QHjhgyy45NgzTc’

For this request ,the response we are sending is :
“access_token”: “ey…qg”,
“refresh_token”: “eyJr…qg”,
“aud”: https: //,
“jwt_token”: “ey…qg”,
“scope”: “openid profile email”,
“iss”: “issuer-name”,
“token_type”: “Bearer”,
“expires_in”: 172800

access_token contain the required JWT.
Do we need to send anything else in the header of this response?

This the format of JWT (Decoded)

Is the JWT format is accordance with the OKTA JWT Policy?

After sending the JWT ,we are expecting a JWKS call and it is not coming
What maybe causing this issue?

We have made some changes like passing nonce in JWT and now JWKS call from Okta is successfully happening.

JWKS is in this format:

“keys”: [
“kty”: “RSA”,
“e”: “AQAB”,
“use”: “sig”,
“kid”: “43eb5233-6adc-4139-b6f6-22a76dd0845a”,
“n”: “0XrjfO1NJDT_LZ-V-c6Pmk1YqWinmUC-t9iwe28nv-VU2rSPUpypWB2enFGc_4txKj0T177T7P_KoQu_fc_cTtBPw16QSIWyaWQxR41zx9IOktEEqMRm8QncJz3PDijNfC9-Vh2wF2H5zrt1oWQoW4ggdhfghyjyukuhngbgbvobjUUSVX64FxP0YSAiMhPU7JxPzAE9gy7pQKoCD4-w3SwAMlTvwVzsDJwgPrb91RbtTIrlB7Bpv7ncBRfTYk3sVNLBuXwgrlQlZ3_4wCnBV7uLiZIHKEPOsI0C1hYKZ6bE9jibGsYFMK25MWdPVBVkQFaHSQ”

The response for the JWT request is in this format:

“access_token”: “e…Jw”,
“scope”: “openid profile email”,
“id_token”: “ey…Jw”,
“token_type”: “Bearer”,
“expires_in”: 172800

is this correct?

This is the structure of the JWT we are using:

Is this format correct?

We have also added userinfo endpoint and providing the details in this form:

“sub”: “26dffffffff40019b”,
“lastName”: “doe”,
“email_verified”: true,
“given_name”: “John”,
“pyid”: “26dfggggg8540019b”,
“nonce”: “VfxIQ84juTXbFjn5wwUmYz5-PaeCze8h”,
“picture”: “”,
“aud”: “test_clientId”,
“firstName”: “John”,
“scope”: “openid profile email”,
“name”: “John”,
“nickname”: “John”,
“family_name”: “Doe”,
“email”: “

Is there anything wrong or missing from our end?

Because now we have different error now:

First error coming in logs is this one:

Authenticate user with social login
FAILURE: Unable to JIT user from the Identity Provider

After that this comes:

This is similar to the error discussed in this link:

We tried to solve it by the solution mentioned over there.But we were not able to.

The only thing is that,if we have created a user manually and after that if we try to login,login is successful.
But new user creation (JIT) is failing.

Can you guys please us to resolve this issue?

hi Guys ,
JIT is working now.
we were using firstnameEN and lastnameEN.
But we had to use firstNameEN and lastNameEN

1 Like