Issuer Mismatch in JWTVerifier


I’m new to Okta. I’m demoing the Java Servlet example and am getting the following error when my Servlet Filter calls out to Okta. This is using a token generated by the app.

Expected iss claim to be:, but was:

I noticed in the admin panel that the App I created has the listed under issuer. This is showing up in the iss field of the JWT.

In my Servlet Filter config, I have the okta.oauth2.issuer param set to

I get a different error if I set the init param to

A signing key must be specified if the specified JWT is digitally signed.


If you navigate to API > Security, do you see a default authorization server in there? If so, that’s a custom authorization server. You can read more about the difference between them at Authorization Servers | Okta Developer.

1 Like

Your Java Servlet sounds to be configured correctly, but the token you are sending to it was not issued by the same authorization server, which in this case is the custom authorization server called “Default.”

If you’re using the OIDC Debugger tool, can you ensure that the authorize URL you are providing starts with instead of

1 Like

When I put in just the host for the URL, it takes me to an Okta login. I enter the credentials and land on an Okta homepage.

If I switch the URL back to /v1/authorize, I get an access token,

I went to Security > API > default and see this listed under Issuer

That’s different than what is listed under my Application / Single Sign On / OpenID Connect ID Token value which is

I tried putting the Security / API value in the odicdebugger but got a 404.

Is there a special way I need to set up the application for the servlet example to work?


You need to use one of the Custom Authorization Servers found under Security → API → Authorization Servers, otherwise your Java Servlet will not be able to validate the tokens. This means both the front end/client requesting the token and the Java Servlet must be referencing the same custom Authorization Server.

If you use a Web app (with Implicit → Access Token enabled in your Allowed Grant Types) to request an access token, as in my below screenshot, does OIDC Debugger work?

With a token issued with those settings and with your Java Servlet configured with the issuer as I expect this to work. If you’re still having issues with the OIDC Debugger tool, you may prefer trying to walk through the flow yourself by following our guides.

1 Like

Thanks for the help. I got something working by adding a new endpoint to the Security / API screen.

I also changed the Java Servlet Example by

  • Adding the new endpoint with a policy and a rule
  • Adding audience as a filter param
  • Putting a return in after the doChain()

I’m writing up a GitHub issue about the second item.

My next step is to get this to work with app://default and avoid the extra configuration.

Thanks again,

This is the PR for the above Successful cases were falling through to authorizationFailure() by bekwam · Pull Request #17 · okta/samples-java-servlet · GitHub