JWKS keys: Invalid issuer

What is the difference between keys found at following URLs.



Little background on the ask is , we are trying to configure OAuth for one of our systems. It needs x5c in keys uri . I could not find x5c info in authorization server keys URI but application keys URI has that. So we provided application keys uri and token end point as {{url}}/oauth2/default/v1/token.

When the application is trying to validate public key using client credentials , its getting invalid issuer error.The issuer url that we are using is {{url}}/oauth2/default

I came across this article Invalid signature in Access and Id Token which sounds similar to the issue that I am facing. But not sure how to resolve it. Appreciate any help.

The issuer url for app and authorization server in okta are as below

Authorization Server: {{url}}/oauth2/default
App: I believe its just {{url}} . Cannot see in developer console . Can see in classic UI

The keys used by the authorization server to sign the tokens can only be retrieved from the /keys endpoint [https://developer.okta.com/docs/reference/api/oidc/#keys]

The application key is not used by OAuth apps and is only intended for SAML apps [https://developer.okta.com/docs/reference/api/apps/#application-key-credential-object]

1 Like

Thank you . That make sense.

Is there a way we could get x5c in {{url}}/oauth2/default/v1/keys . The system we are planning to integrate need x5c.

Okta does not expose x5c. It exposes exponent(ā€˜eā€™) and modulus (ā€˜nā€™) as part of the /keys endpoint. Using these, you can generate the pem encoded public key using tools like https://github.com/jpf/okta-jwks-to-pem (not Okta maintained). This should be enough to validate the JWT, hence Okta does not expose the X.509 signing certificate.

Thank you padma!! Appreciate for taking time to respond.