Getting invalid_token on okta spring boot 2 and Angular 7

Questions
1

Hi,
Am following this URL (https://developer.okta.com/quickstart/#/angular/java/spring) for OKTA integration.
We have 2 separate client(Angular 7, configured as SPA in dev-okta portal) and server (spring boot 2.x) application. On starting angular app, after authentication, when angular sends access token to server app for API calls, we are getting 401 “invalid_token” error.

WWW-Authenticate: Bearer error=“invalid_token”, error_description=“An error occurred while attempting to decode the Jwt: Invalid token”, error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1

Token:
eyJraWQiOiIyTjdvTTA2Tk1DSkdvMlNveU1Hd3ZyUWR3OVoxcFotaXotb2J4MEQtVEtrIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnJ3anJkYVprRTN5dDdfTFk2RVh0WkczUDhhUnJ6RldoaE9sRFNTSXFLeUEiLCJpc3MiOiJodHRwczovL2Rldi0xMTk4NTYub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTYyNzQ0OTUzLCJleHAiOjE1NjI3NDg1NTMsImNpZCI6IjBvYXVtbWhsYUV5UzV5U0lOMzU2IiwidWlkIjoiMDB1dHhnMGc1WUxBeDFIaGUzNTYiLCJzY3AiOlsib3BlbmlkIiwiZW1haWwiXSwic3ViIjoidGVzdC5Vc2VyMUBnbWFpbC5jb20ifQ.oLUfQqI-QRuB1rUmer1MZIUu2AbhSB-Bjcu3dlsyDCYt2FAZwf_yDSYXgN-0_k9tKE6uC4yyCGCihQzHd9LJcO9v6VZMLMJEERNQe2ULeCDvQfvoIYZLakT8A6GOy_PLjsQxP5XmAd2K_iuS-07XntTacCdKowbkvI_MWYv3me1U6qekS-kX72dfzxc-TOWpkkzI3homf2aClRxqyf7MURcVgjQZEuNNejHbu7e1EaNN56nZWVhuieEDjLu0UBGdJi32Yom1JmCsb1HPjR5vDvEZs17Ws12Resk_gFg0mX-zjbPWf2NBS2ppSFPQPGHBhlKJDy9s_M9YpDMU4CYS2g

pom.xml

com.okta.spring
okta-spring-boot-starter
1.2.1

application.properties:
logging.level.root=DEBUG
org.springframewrok.security=DEBUG
okta.oauth2.issuer=https://dev-119856.okta.com/oauth2/default
okta.oauth2.audience=api://default
okta.oauth2.client-id=0oaummhlaEyS5ySIN356

Angular:
import in to app module
import { OktaAuthModule } from ‘@okta/okta-angular’;

const config = {
issuer: ‘https://dev-119856.okta.com/oauth2/default’,
redirectUri: ‘http://localhost:4210/implicit/callback’,
clientId: ‘0oaummhlaEyS5ySIN356’
};

OktaAuthModule.initAuth(config)

import into app routing module the implicit call back
import { OktaCallbackComponent } from ‘@okta/okta-angular’;
{
path: ‘implicit/callback’,
component: OktaCallbackComponent
}

1 Like
2

I have the same problem in my app.
I’m using Spring Boot and Angular 8.

Here is my Response Header:

WWW-Authenticate:

Bearer realm="oauth2-resource", error="invalid_token", error_description="Invalid access token: eyJraWQiOiJWb0ZXSnUxWUdSQlB6QUNhb2JKZml3WFVIZjRyOVctQVA1U3I0X05vY0ZvIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkFCeksxbWJQTkI4dFJvdjluRnF5Yi11N1VkMnJHQ3E0OGZacHl6a2prMzgiLCJpc3MiOiJodHRwczovL2ZwZm9rdGFucGkub2t0YS5jb20iLCJhdWQiOiJodHRwczovL2ZwZm9rdGFucGkub2t0YS5jb20iLCJzdWIiOiJyb2Jzb24ucmFtb3NAZnBmLmJyIiwiaWF0IjoxNTYzNTQ3MDYyLCJleHAiOjE1NjM1NTA2NjIsImNpZCI6IjBvYXlmdTBiMUlmSlNGMGdJMzU2IiwidWlkIjoiMDB1eTg4cmI2ZWV4RE9yWlIzNTYiLCJzY3AiOlsib3BlbmlkIiwiZW1haWwiXX0.mSkwtNFn9fUUejQ37Ka6fDDhuRT8ELDKyKQI83VEQieS3yUEbxDOqWqGOEaymy5pnzuhbByHcfBK_A3pTPA8i4c4omVEilr1oGAuoOBAWAWs-tvFYy_mpZ9Q8zaYSEpPLTKrPwVNORsdG2qHD-tZm7VuhqU1IgSxNJx3-AhVk-S3kL3KDxmJTUuVN3z7DNogQj8xR3z5PW-zH1B3pYR_abQdsqwAhnnez3ezRfMEwVf-iUHmg2J73WQqzn0d9MLtw2Pdqb4q8CJk3-doiLLcADAOyFezfRdT3iOR8GH84uMlBqMXl5Fgeh0e-yZcntaVPWb1hTE3rKw7z795EBHe1w"

is there any configuration missing from the app or Okta?

This is my configuration
Angular 8 App

auth-routing.module.ts
const oktaConfig = {
issuer: “https://fpfoktanpi.okta.com”,
redirectUri: window.location.origin + “/implicit/callback”,
clientId: “0oayfu0b1IfJSF0gI356”
};

service.ts

this.accessToken = await this.oktaAuth.getAccessToken();
httpOptions[“headers”] = new HttpHeaders({“Authorization”: "Bearer ".concat(this.accessToken)});

Spring Boot app:

@EnableResourceServer
@SpringBootApplication
@EnableJpaAuditing
@EnableJpaRepositories(
repositoryFactoryBeanClass = EnversRevisionRepositoryFactoryBean.class
)
public class TestApplication {

public static void main(String[] args) {
    SpringApplication.run(TestApplication.class, args);
}

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CORSApplication getCORSApplication() {
    return new CORSApplication();
}

@PostConstruct
void started() {
    TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
}

@Bean
public FilterRegistrationBean<CorsFilter> simpleCorsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.setAllowedOrigins(Collections.singletonList("http://localhost:4200"));
    config.setAllowedMethods(Collections.singletonList("*"));
    config.setAllowedHeaders(Collections.singletonList("*"));
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>(new CorsFilter(source));
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
    return bean;
}

}

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
        .authorizeRequests().anyRequest().authenticated()
        .and()
        .oauth2ResourceServer().jwt();
    // @formatter:on

    Okta.configureResourceServer401ResponseBody(http);
}

}

application.yml
okta:
oauth2:
client-id: 0oayfu0b1IfJSF0gI356
issuer: https://fpfoktanpi.okta.com

build.gradle:

plugins {
id ‘org.springframework.boot’ version ‘2.1.5.RELEASE’
id ‘java’
id “org.liquibase.gradle” version “2.0.1”
id “net.ltgt.apt” version “0.20”
}

apply plugin: ‘io.spring.dependency-management’
apply plugin: ‘net.ltgt.apt-idea’

group = ‘com.fpf’
version = ‘1.4.0-BETA’
sourceCompatibility = ‘1.8’

configurations {
developmentOnly
runtimeClasspath {
extendsFrom developmentOnly
}
compileOnly {
extendsFrom annotationProcessor
}
}

repositories {
mavenCentral()
maven { url ‘https://repo.spring.io/snapshot’ }
maven { url ‘https://repo.spring.io/milestone’ }
}

File propsFile = new File("${projectDir}/src/main/resources/liquibase.properties")
Properties properties = new Properties()
properties.load(new FileInputStream(propsFile))
dependencies {
implementation ‘org.springframework.boot:spring-boot-starter-data-jpa’
implementation ‘org.springframework.boot:spring-boot-starter-validation’
implementation ‘org.springframework.boot:spring-boot-starter-web’
implementation ‘org.liquibase:liquibase-core’
implementation ‘org.springframework.data:spring-data-envers’
compileOnly ‘org.projectlombok:lombok’
developmentOnly ‘org.springframework.boot:spring-boot-devtools’
runtimeOnly ‘com.microsoft.sqlserver:mssql-jdbc’
annotationProcessor ‘org.projectlombok:lombok’
testImplementation ‘org.springframework.boot:spring-boot-starter-test’
compile “io.springfox:springfox-swagger2:2.9.2”
compile “io.springfox:springfox-swagger-ui:2.9.2”
compile group: ‘com.fasterxml.jackson.datatype’, name: ‘jackson-datatype-jsr310’, version: ‘2.9.8’
compile group: ‘org.apache.commons’, name: ‘commons-lang3’, version: ‘3.8.1’
compile group: ‘org.modelmapper’, name: ‘modelmapper’, version: ‘2.3.2’

compile group: 'com.okta.spring', name: 'okta-spring-boot-starter', version: '1.2.1'
compile "org.springframework.security:spring-security-oauth2-client"
compile 'org.springframework.boot:spring-boot-starter-security'

compile "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.5.RELEASE"

compileOnly group: 'org.hibernate', name: 'hibernate-jpamodelgen', version: '5.3.7.Final'
annotationProcessor group: 'org.hibernate', name: 'hibernate-jpamodelgen', version: '5.3.7.Final'
liquibaseRuntime group: 'org.liquibase.ext', name: 'liquibase-hibernate5', version: '3.6'
liquibaseRuntime 'com.microsoft.sqlserver:mssql-jdbc'
liquibaseRuntime 'org.liquibase:liquibase-core'
liquibaseRuntime 'org.springframework.boot:spring-boot-starter-data-jpa'
liquibaseRuntime sourceSets.main.output
compile             "com.google.auto.value:auto-value-annotations:1.6.2"
annotationProcessor "com.google.auto.value:auto-value:1.6.2"

}

liquibase {
activities {
main {
driver properties[‘driver’]
url properties[‘url’]
changeLogFile properties[‘changeLogFile’]
referenceUrl properties[‘referenceUrl’]
username properties[‘username’]
password properties[‘password’]
}
}
}

3

I’ve updated my backend app and now the error in response is:

WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Is needed to configure an Authorization Server?

I’m using a corporate account, and in Okta site don’t shows the option in the administration UI, API > Authorization Servers.
Can you help in this issue?

It shows this log on request (get) http://localhost:4200/project-list in spring app:

2019-07-19 15:44:55.946 DEBUG 4144 --- [nio-8080-exec-6] o.a.c.authenticator.AuthenticatorBase    : Security checking request GET /technpi/project/project-list/
2019-07-19 15:44:55.946 DEBUG 4144 --- [nio-8080-exec-6] org.apache.catalina.realm.RealmBase      :   No applicable constraints defined
2019-07-19 15:44:55.946 DEBUG 4144 --- [nio-8080-exec-6] o.a.c.authenticator.AuthenticatorBase    :  Not subject to any constraint
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 4 of 13 in additional filter chain; firing Filter: 'CorsFilter'
2019-07-19 15:44:55.947 DEBUG 4144 --- [nio-8080-exec-6] pertySourcedRequestMappingHandlerMapping : looking up handler for path: /project/project-list/
2019-07-19 15:44:55.950 DEBUG 4144 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to public org.springframework.http.ResponseEntity<java.util.List<com.fpf.technpi.project.dto.list.ProjectListDTO>> com.fpf.technpi.project.controller.ProjectController.listProjectByProjectFactoryNpi(java.lang.Long,java.lang.Long,java.lang.Long,java.lang.String,java.lang.String,java.lang.Boolean,java.lang.Boolean)
2019-07-19 15:44:55.950 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] o.s.s.w.util.matcher.AndRequestMatcher   : Trying to match using org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher@4647702
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] o.s.s.w.util.matcher.AndRequestMatcher   : Did not match
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /project/project-list/' doesn't match 'POST /logout'
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /project/project-list/?roleNpi=NPI at position 7 of 13 in additional filter chain; firing Filter: 'BearerTokenAuthenticationFilter'
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] org.apache.tomcat.util.http.Parameters   : Set encoding to UTF-8
2019-07-19 15:44:55.951 DEBUG 4144 --- [nio-8080-exec-6] org.apache.tomcat.util.http.Parameters   : Decoding query null UTF-8
2019-07-19 15:44:55.952 DEBUG 4144 --- [nio-8080-exec-6] org.apache.tomcat.util.http.Parameters   : Start processing with input [roleNpi=NPI]
2019-07-19 15:44:55.952 DEBUG 4144 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider
2019-07-19 15:44:55.952 DEBUG 4144 --- [nio-8080-exec-6] o.s.web.client.RestTemplate              : HTTP GET https://fpfoktanpi.okta.com/oauth2/default/v1/keys
2019-07-19 15:44:55.953 DEBUG 4144 --- [nio-8080-exec-6] o.s.web.client.RestTemplate              : Accept=[text/plain, application/json, application/*+json, */*]
2019-07-19 15:44:56.825 DEBUG 4144 --- [nio-8080-exec-6] s.n.www.protocol.http.HttpURLConnection  : sun.net.www.MessageHeader@62a00b4b5 pairs: {GET /oauth2/default/v1/keys HTTP/1.1: null}{Accept: application/json;charset=UTF-8}{User-Agent: okta-spring-security/1.2.1 spring/5.1.7.RELEASE spring-boot/2.1.5.RELEASE spring-security/5.1.5.RELEASE tomcat/9.0 java/1.8.0_191 Windows 10/10.0}{Host: fpfoktanpi.okta.com}{Connection: keep-alive}
2019-07-19 15:44:57.105 DEBUG 4144 --- [nio-8080-exec-6] s.n.www.protocol.http.HttpURLConnection  : sun.net.www.MessageHeader@736ad4ad19 pairs: {null: HTTP/1.1 403 Forbidden}{Date: Fri, 19 Jul 2019 19:45:02 GMT}{Server: nginx}{Public-Key-Pins-Report-Only: pin-sha256="r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.io/r/default/hpkp/reportOnly"}{Content-Type: application/json}{X-Okta-Request-Id: XTIdvsy5DFzdWZBpaXq86wAABI8}{X-XSS-Protection: 1; mode=block; report=https://okta.report-uri.com/r/d/xss/enforce}{P3P: CP="HONK"}{X-Rate-Limit-Limit: 2000}{X-Rate-Limit-Remaining: 1999}{X-Rate-Limit-Reset: 1563565562}{Report-To: {"group":"csp-report","max_age":31536000,"endpoints":[{"url":"https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains":true}}{Content-Security-Policy-Report-Only: default-src 'self' ok7static.oktacdn.com fpfoktanpi.okta.com; connect-src 'self' ok7static.oktacdn.com *.mixpanel.com *.mapbox.com *.pendo.io; script-src 'unsafe-inline' 'unsafe-eval' 'self' ok7static.oktacdn.com; style-src 'unsafe-inline' 'self' ok7static.oktacdn.com; frame-src 'self' login.okta.com; img-src 'self' ok7static.oktacdn.com fpfoktanpi.okta.com *.mapbox.com *.pendo.io; frame-ancestors 'self'; report-uri https://okta.report-uri.com/r/d/csp/reportOnly; report-to csp-report}{X-Content-Type-Options: nosniff}{Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/}{Set-Cookie: JSESSIONID=E7D949DE3C7EBA4FF5D8A9D3F38E3D34; Path=/; Secure; HttpOnly}{Keep-Alive: timeout=5, max=100}{Connection: Keep-Alive}{Transfer-Encoding: chunked}
2019-07-19 15:44:57.106 DEBUG 4144 --- [nio-8080-exec-6] o.s.web.client.RestTemplate              : Response 403 FORBIDDEN
2019-07-19 15:44:57.107 DEBUG 4144 --- [nio-8080-exec-6] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2019-07-19 15:44:57.107 DEBUG 4144 --- [nio-8080-exec-6] .o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden
2019-07-19 15:44:57.107 DEBUG 4144 --- [nio-8080-exec-6] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@55b7029b
2019-07-19 15:44:57.108 DEBUG 4144 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2019-07-19 15:44:57.108 DEBUG 4144 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

This is my config in backend:

application.yml

okta:
  oauth2:
    client-id: 0oayfu0b1IfJSF0gI356
    issuer: https://fpfoktanpi.okta.com/oauth2/default
    audience: 0oayfu0b1IfJSF0gI356

logging:
  level:
    root: DEBUG

@SpringBootApplication
@EnableJpaAuditing
@EnableJpaRepositories(
        repositoryFactoryBeanClass = EnversRevisionRepositoryFactoryBean.class
)
public class TestApplication {

    public static void main(String[] args) {
        SpringApplication.run(TestApplication.class, args);
    }

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public CORSApplication getCORSApplication() {
        return new CORSApplication();
    }

    @PostConstruct
    void started() {
        TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
    }

    @Bean
    public FilterRegistrationBean<CorsFilter> simpleCorsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.setAllowedOrigins(Collections.singletonList("http://localhost:4200"));
        config.setAllowedMethods(Collections.singletonList("*"));
        config.setAllowedHeaders(Collections.singletonList("*"));
        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>(new CorsFilter(source));
        bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
        return bean;
    }


    @Configuration
    static class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests().anyRequest().authenticated()
                    .and()
                    .oauth2ResourceServer().jwt();

            http.cors();

            Okta.configureResourceServer401ResponseBody(http);
        }
    }

}

Angular App

Service request:

...
	httpOptions["headers"] = new HttpHeaders({"Authorization": "Bearer ".concat(this.accessToken)});
...
    public getAll(): Observable<T[]> {
        return this.http.get<T[]>(this.fullUrl, httpOptions)
            .pipe(
                tap(response => response as HttpUserEvent<T[]>),
                catchError(ex => this.disableErrors ? from([]) : throwError(ex))
            );
    }
4

Hi @robsonrf

Due to RFC restrictions, the signing keys for access tokens are not provided on Okta authorization servers. As such, access tokens issued by this authorization server can not be verified locally.

There are two possible ways of verifying the user’s identity when using Okta authorization server:

  • perform authorization code flow with the request to /token being server-side (in this way the end-user does not have access to the JWT tokens and can not tamper the details)
  • perform a second request to /introspect endpoint as specified here in order to validate the token against Okta
5

Spring boot configuration:
oktaOrgUrl=https://averydennison.okta.com
okta.oauth2.issuer=https://averydennison.okta.com/oauth2/v1/authorize
okta.oauth2.redirect-uri=/implicit/callback
okta.oauth2.audience=api://default
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://averydennison.okta.com.okta.com/oauth2/0oa1hhdpgukI7pNl90h8/v1/keys

WWW-Authenticate: Bearer error=“invalid_token”, error_description=“An error occurred while attempting to decode the Jwt: Couldn’t retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found”, error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1

Server Logs:

2019-08-21 06:17:24.717 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 — [-nio-443-exec-3] o.s.s.a.ProviderManager : Authentication attempt using org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider

2019-08-21 06:17:24.717 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 — [-nio-443-exec-3] o.s.w.c.RestTemplate : HTTP GEThttps://averydennison.okta.com/oauth2/v1/authorize/v1/keys

2019-08-21 06:17:24.718 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 — [-nio-443-exec-3] o.s.w.c.RestTemplate : Accept=[text/plain, application/json, application/*+json, /]

2019-08-21 06:17:24.895 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 — [-nio-443-exec-3] o.s.w.c.RestTemplate : Response 404 NOT_FOUND

2019-08-21 06:17:24.900 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 — [-nio-443-exec-3] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException

2019-08-21 06:17:24.900 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 — [-nio-443-exec-3] .o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: An error occurred while attempting to decode the Jwt: Couldn’t retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found

6

Hi @gagan_shah

Can you please change the following variable in Spring Boot

okta.oauth2.issuer=https://averydennison.okta.com/oauth2/{authorization_server_id}/v1/authorize

This will redirect the users to the same authorization server that is used for verifying the JWT’s signature.

1 Like
7

Hi @dragos, I tried changing okta.oauth2.issuer to https://{company-name}.okta.com/oauth2/{client-id}/v1/authorize in my spring boot application but it does not help :((

Any ideas how to fix this?

8

Hi @sart96

The value between /oauth/ and /v1/ represents the authorization server’s ID, not the client ID. I’ve modified the previous post now in order to clarify the use-case for future reference. To have an authorization server ID, the Okta tenant used requires API Access Management feature.

2 Likes
9

I had similar issues but not exactly the same. Posting here in case it can assist someone.
I had the same issue with the invalid token. I’m using letsencrypt to generate the ssl cert.

I solved this by doing the following. When your at the upload ‘tls certificate’ page in okta portal.

Copy the cert.pem into certificate, the privkey.pem into private key and the chain.pem into certificate chain.

With letsencrypt the fullchain.pem doesn’t work for the certificate chain in okta but using chain.pem works.

It seems that the certificate chain is mandatory if your using custom domain with the code flow login logic.

10

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.