We are attempting to write a script to dynamically update IP addresses in a network zone to block malicious activity.
I have created an application and have given it the proper scope/role. In my Python script, I generate JWKS and save the public key in okta and the private key on my computer for testing. I then use that private key to make a JWT to authenticate to okta token endpoint. This works and I can update the IPs in the network zone.
The issues starts when I attempt to direct the application to go to the URL to retrieve its public key.
When I do this, the first time I attempt to retrieve a token from the “/oauth2/v1/token” endpoint it works properly, but the second time I attempt to get a token it will always fail. This script will need to run once an hour, so we’ll need to get a new token every hour since the default token expiration is exactly 60 min.
When it fails to give me a token for the second time it gives me this error:
{‘error’: ‘invalid_client’, ‘error_description’: ‘The client_assertion signature is invalid.’}
I was led to believe based on the documentation that using the URL option for the applications public keys would allow me to do key rotation without doing any other registration of the keys in the application itself.
I will point out that I have a hard coded “kid” field for the JWKS, but that I’ve also attempted to dynamically generate “kid”s but that it didn’t seem to matter. The second token is always denied. I will also point out that the next morning that I run the script it will work again, but that the second time it will not work again. So there seems to be some type of TTL situation I’m not understanding…
I’m sure I’ve missed something, so please feel free to ask for details.
Thanks!