Issuer Mismatch in JWTVerifier

Carl · April 7, 2021, 2:35pm

Hi,

I’m new to Okta. I’m demoing the Java Servlet example and am getting the following error when my Servlet Filter calls out to Okta. This is using a token generated by the oidcdebugger.com app.

Expected iss claim to be: https://dev-999999999.okta.com/oauth2/default, but was: https://dev-99999999.okta.com.

I noticed in the admin panel that the App I created has the https://dev-99999999.okta.com listed under issuer. This is showing up in the iss field of the JWT.

In my Servlet Filter config, I have the okta.oauth2.issuer param set to https://dev-999999999.okta.com/oauth2/default.

I get a different error if I set the init param to https://dev-99999999.okta.com.

A signing key must be specified if the specified JWT is digitally signed.

Thanks,
Carl

mraible · April 7, 2021, 2:52pm

If you navigate to API > Security, do you see a default authorization server in there? If so, that’s a custom authorization server. You can read more about the difference between them at Authorization Servers | Okta Developer.

andrea · April 7, 2021, 3:06pm

Your Java Servlet sounds to be configured correctly, but the token you are sending to it was not issued by the same authorization server, which in this case is the custom authorization server called “Default.”

If you’re using the OIDC Debugger tool, can you ensure that the authorize URL you are providing starts with https://dev-999999999.okta.com/oauth2/default instead of https://dev-999999999.okta.com?

Carl · April 7, 2021, 3:19pm

When I put in just the host for the URL, it takes me to an Okta login. I enter the credentials and land on an Okta homepage.

If I switch the URL back to /v1/authorize, I get an access token,

Carl · April 7, 2021, 3:29pm

I went to Security > API > default and see this listed under Issuer

https://dev-999999999.okta.com/oauth2/default

That’s different than what is listed under my Application / Single Sign On / OpenID Connect ID Token value which is

https://dev-99999999.okta.com

I tried putting the Security / API value in the odicdebugger but got a 404.

Is there a special way I need to set up the application for the servlet example to work?

-Carl

andrea · April 7, 2021, 3:36pm

You need to use one of the Custom Authorization Servers found under Security → API → Authorization Servers, otherwise your Java Servlet will not be able to validate the tokens. This means both the front end/client requesting the token and the Java Servlet must be referencing the same custom Authorization Server.

If you use a Web app (with Implicit → Access Token enabled in your Allowed Grant Types) to request an access token, as in my below screenshot, does OIDC Debugger work?

With a token issued with those settings and with your Java Servlet configured with the issuer as https://dev-999999999.okta.com/oauth2/default I expect this to work. If you’re still having issues with the OIDC Debugger tool, you may prefer trying to walk through the flow yourself by following our guides.

Carl · April 7, 2021, 4:24pm

Thanks for the help. I got something working by adding a new endpoint to the Security / API screen.

I also changed the Java Servlet Example by

Adding the new endpoint with a policy and a rule
Adding audience as a filter param
Putting a return in after the doChain()

I’m writing up a GitHub issue about the second item.

My next step is to get this to work with app://default and avoid the extra configuration.

Thanks again,
Carl

Carl · April 7, 2021, 4:35pm

This is the PR for the above Successful cases were falling through to authorizationFailure() by bekwam · Pull Request #17 · okta/samples-java-servlet · GitHub

system · February 6, 2024, 11:23pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.