Error while validating token using jwt verifier

Hi,

I am trying to validate my access token using okta jwt verified , by referring to the link https://github.com/okta/okta-jwt-verifier-java

But getting the below error.(Issuer I am using is https://<OKTA_URL>/oauth2/default/v1/authorize)

Caused by: io.jsonwebtoken.JwtException: Failed to fetch keys from URL: https:/oauth2/default/v1/keys
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.updateKeys(RemoteJwkSigningKeyResolver.java:101)
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.getKey(RemoteJwkSigningKeyResolver.java:70)
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.resolveSigningKey(RemoteJwkSigningKeyResolver.java:55)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:342)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:513)

Any help is much appreciated.

Thanks

Hi @MDD

Can you please switch the issuer to https://<OKTA_URL>/oauth2/default from https://<OKTA_URL>/oauth2/default/v1/authorize and try once again?

Hi Dragos,

Thanks for your response and changing the issuer URL fixed the issue.

Thanks

1 Like

Hi Dragos,

I think I might need your help again on this.Our requirement is to generate an access token which will be used to invoke a API call (for example - listusers).To achieve this the scope should be “okta.users.read” . I tried generating access token with different ways but the JWT Validator is always failing.

For JWT Validator,I am using the below configuration
String issuerUrl = “https://<OKTA_URL>/oauth2/default”;
String audience = “api://default”;

Option 1 : Tried generating access token with “default” in the URL
https://<OKTA_URL>/oauth2/default/v1/authorize?client_id=<CLIENT_ID>&response_type=token&response_mode=fragment&
scope=okta.users.read&redirect_uri=<REDIRECT_URI>/&nonce=UBGW&state=1234

Output - http://<REDIRECT_URI>/#state=1234&error=invalid_scope&error_description=One+or+more+scopes+are+not+configured+for+the+authorization+server+resource.

Option 2: Generated access token without “default” in the URL
https://<OKTA_URL>/oauth2/v1/authorize?client_id=<CLIENT_ID>&response_type=token&response_mode=fragment&
scope=okta.users.read&redirect_uri=<REDIRECT_URI>/&nonce=UBGW&state=1234

Output - JWT error - A signing key must be specified if the specified JWT is digitally signed.

Option 3 - Using the https://oauthdebugger.com/ site,I am able to generate an access token,which is getting validated by JWT validator but this site doesnt support okta.users.read scope.

Let me know if you have any thoughts/suggestions.

Thanks in advance

Hi @MDD

I’ve checked on my end and, indeed, OAuth for Okta scopes can only be requested at the moment from Okta authorization server (eg. /oauth2/v1/authorize), meaning that the only way to verify this tokens is by doing an introspect and check if the token is returned as active or not.

@dragos how can i use introspect call in postman for okta org authorization server?
It is silly question but please help.
Thank you

Hi @Shubham6541

You can use the same call basically as for the custom authorization servers:

curl --location --request POST 'https://dragos.okta.com/oauth2/v1/introspect' \
--header 'Accept: application/json' \
--header 'Authorization: Basic MG9hN...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=TOKEN_HERE'