Prior to Okta, we would store our certs in an Azure Key Vault secret, with the name of the key vault secret being that of the kid header value. However, it seems with Okta, that kid value can contain underscores, which is an invalid character when attempting to create an Azure Key Vault Secret name. Is there a way to provide a custom value that can be used for the key name that will be placed in the Okta JWT kid header field?
kid is auto generated when Okta rotates keys.
Currently there is not any sort of way to either provide your own
kid or restrict characters used in the
I recommend adding this as a suggest for an enhancement at ideas.okta.com.
Thank you for the reply. I will definitely enter this as a suggestion. I believe it is possible to have a manual rotation of the keys, correct? If so, would it be an option to just manually rotate the keys until we get a secret that doesn’t have an underscore?
Yes that is possible. There is no limitation that I am aware of on the number of times you can rotate keys.
So you could keep rotating until the current key
kid does not have an underscore.
Unfortunately, there is currently no way to provide a custom kid value for Okta JWTs. The kid value is auto-generated by Okta when a new key is created. This is because the kid value is used to identify the specific key that was used to sign a JWT, and Okta needs to be able to keep track of this information internally.
I understand that this can be a problem if you need to store the kid value in an Azure Key Vault secret, as Azure Key Vault secret names cannot contain underscores. However, there are a few workarounds that you can use:
You can use a different character instead of an underscore in the kid value. For example, you could use a hyphen or a period.
You can store the kid value in a separate Azure Key Vault secret. This would give you more flexibility in how you name the secret.
You can use a different key management system that allows you to specify custom kid values.
I hope I can help you… But I would suggest you take help from experts like Triotech systems. And I would also suggest you to pass your feedback along to the Okta product team to see if they consider adding support for custom kid values in the future.
In the meantime, I hope one of the workarounds that I suggested will work for you.