JWKS keys: Invalid issuer

What is the difference between keys found at following URLs.

{{url}}/api/v1/apps/{{appId}}/credentials/keys/{{keyId}}

{{url}}/oauth2/default/v1/keys

Little background on the ask is , we are trying to configure OAuth for one of our systems. It needs x5c in keys uri . I could not find x5c info in authorization server keys URI but application keys URI has that. So we provided application keys uri and token end point as {{url}}/oauth2/default/v1/token.

When the application is trying to validate public key using client credentials , its getting invalid issuer error.The issuer url that we are using is {{url}}/oauth2/default

I came across this article Invalid signature in Access and Id Token which sounds similar to the issue that I am facing. But not sure how to resolve it. Appreciate any help.

The issuer url for app and authorization server in okta are as below

Authorization Server: {{url}}/oauth2/default
App: I believe its just {{url}} . Cannot see in developer console . Can see in classic UI

The keys used by the authorization server to sign the tokens can only be retrieved from the /keys endpoint [https://developer.okta.com/docs/reference/api/oidc/#keys]

The application key is not used by OAuth apps and is only intended for SAML apps [https://developer.okta.com/docs/reference/api/apps/#application-key-credential-object]

1 Like

Thank you . That make sense.

Is there a way we could get x5c in {{url}}/oauth2/default/v1/keys . The system we are planning to integrate need x5c.

Okta does not expose x5c. It exposes exponent(ā€˜eā€™) and modulus (ā€˜nā€™) as part of the /keys endpoint. Using these, you can generate the pem encoded public key using tools like https://github.com/jpf/okta-jwks-to-pem (not Okta maintained). This should be enough to validate the JWT, hence Okta does not expose the X.509 signing certificate.

Thank you padma!! Appreciate for taking time to respond.

Kishore.