I’m a beginner with Okta and with application authorization workflow in general so I apologize if my questions seem dumb.
I am currently building an Angular 4 web application that call Rest APIs made with Loopback (a Node.js API Framework) to access data.
To secure my web application access i’m using the Okta authentication with Open ID Connect (oidc) the application configured as an SPA on Okta.
This part works fine but when I try to validate Access Token or Id Token on server side (using @okta/jwt-verifier) I get the following error:
’'Error while resolving signing key for kid “QuchAjn_-2c-jpEdGNdhf7s3s8KUQrZMdwCG77WZf0I”
If I use jwt validation websites like jwt or jsonwebtoken (sites are in .io but I can’t post more than 2 links per messages) I get the same error when I paste my tokens: Invalid Signature (but I can retrieve all other informations contained in the token)
On client side i’m using angular-oauth2-oidc to manage the user authentication to Okta and retrieve Access and Id tokens. On server side, to secure API endpoints, i’m using @okta/jwt-verifier with the default Authorization server as issuer and the client id of my application.
I saw on this topic that we can see our authorization server keys with the following endpoints ‘[my okta org].com/oauth2/default/v1/keys’, but there were no key with the kid I have in my Access or Id Token. Is it normal?
I also tried to create a custom authorization server but I’m a bit lost between the configuration of my client application in ‘Applications’ section of Okta and the configuration of the custom authorization server, especialy the role of each one and the interaction between them.
I hope i’m clear enough and tell me if it’s not the case.
Thank you very much for your help,