JWT authentication fails / app keys not in /oauth2/default/v1/keys

I have a feeling that I’m the 100th guy asking the same question, but for the life of me, I cannot figure out what I’m missing. So please bear with me.

I’ve followed the steps described here: https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/

  • I created a public/private RSA keypair
  • I used the POST command at https://(domain).okta.com/oauth2/v1/clients to create a new client, using the public key earlier created as part of the jwks section in the body.
  • After that, I used https://(domain).okta.com/api/v1/apps/(client_id)/grants to add the scope “okta.users.read”

On the server side, I’m using this library for verifying token: https://github.com/okta/okta-jwt-verifier-java

  • Audience: api://default
  • Issuer: https://(domain).okta.com/oauth2/default

On the client, I use io.jsonwebtoken:jjwt-api#0.10.7 to create the token:

	String jwt = Jwts.builder()
	        .setAudience("https://(domain).okta.com/oauth2/v1/token")
	        .setIssuedAt(Date.from(now))
	        .setExpiration(Date.from(now.plus(5L, ChronoUnit.MINUTES)))
	        .setIssuer("(client_id)")
	        .setSubject("(client_id)")
	        .setId(UUID.randomUUID().toString())
	        .signWith(privateKey)
	        .compact();

The private key is the same as I have created in the first step.

I checked the resulting token on https://jwt.io/ and when inserting the public key, it shows “Signature verified”, so I assume that the token is correct.

However, when I send the token to the server, I get this error message:

java.lang.IllegalArgumentException: A signing key must be specified if the specified JWT is digitally signed.

My assumption is that there is something wrong in the Okta configuration.
The endpoint https://(domain).okta.com/oauth2/default/v1/keys does not include the key that I used when creating the new client.

https://(domain).okta.com/api/v1/apps/(client_id)/ shows the key perfectly well in the jwks section.

How can I get my jwks key into the oauth2/default/v1/keys list? Or is there something else I need to do?

Thanks for your help!

Hi, the link that you shared (https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/) is how to set up the private_key_jwt client authentication for use against Okta. You can use this JWT when making the token request to Okta to get an access token: https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/get-access-token/. The key you upload to the client is so that Okta can validate the signature, not so that your downstream service can validate the signature.

Additionally the guide you are following is for getting access_tokens which can be used against Okta’s APIs as API Tokens. If you are trying to produce tokens which your service can use and validate you should try following this guide: https://developer.okta.com/docs/guides/implement-client-creds/overview/

2 Likes

Awesome, thank you!!!

All the time I was looking in the wrong direction. It works now.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.