Getting invalid JWT Token from VueJS app for Spring backend

I have simple VueJS application which similar to this one samples-js-vue/okta-hosted-login at master · okta/samples-js-vue · GitHub. Everything is working correctly in frontend meaning I can login and everything. However, when I send JWT token Spring backend I am getting this error.

2024-02-14T12:11:30.360-05:00 DEBUG 77052 --- [nio-8080-exec-3]        : Securing GET /api/posts
2024-02-14T12:11:30.361-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate              : HTTP GET
2024-02-14T12:11:30.361-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate              : Accept=[text/plain, application/json, application/*+json, */*]
2024-02-14T12:11:30.826-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate              : Response 200 OK
2024-02-14T12:11:30.827-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate              : Reading to [java.lang.String] as "application/json"
2024-02-14T12:11:30.830-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Failed to authenticate since the JWT was invalid

In browser console I am getting this

Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri=""

I am using Spring Boot 3.2.2 using following properties.${AUTHORIZATION_URI:}${CLIENT_ID:xxxxxxx}

This is my Spring configuration

public class SecurityConfiguration {

    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests((httpRequestCustomizer) ->
                    it -> {
                        it.authenticationEntryPoint((request, response, e) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()));
                        it.accessDeniedHandler((request, response, e) -> response.setStatus(HttpStatus.FORBIDDEN.value()));
                .oauth2ResourceServer((oauth2ResourceServer) -> oauth2ResourceServer.jwt(Customizer.withDefaults()))

and my CORS configuration is following.

public class CorsConfiguration implements WebMvcConfigurer {

    private final ApplicationProperties applicationProperties;

    public CorsConfiguration(ApplicationProperties applicationProperties) {
        this.applicationProperties = applicationProperties;

    public void addCorsMappings(CorsRegistry registry) {
        var allowedSources = this.applicationProperties.getAllowedSource();

        if (allowedSources != null && !allowedSources.trim().isEmpty()) {

I also did token validation using and it is giving me Invalid Signature. We are really stuck with this issue. We have similar app in using older version of Spring and Vue and it is working correctly.

I recommend testing this using our JWT validation rather than Also, it looks like you should be using the org auth server..

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.