I have a feeling that I’m the 100th guy asking the same question, but for the life of me, I cannot figure out what I’m missing. So please bear with me.
I’ve followed the steps described here: Implement OAuth for Okta with a service app | Okta Developer
- I created a public/private RSA keypair
- I used the POST command at https://(domain).okta.com/oauth2/v1/clients to create a new client, using the public key earlier created as part of the jwks section in the body.
- After that, I used https://(domain).okta.com/api/v1/apps/(client_id)/grants to add the scope “okta.users.read”
On the server side, I’m using this library for verifying token: GitHub - okta/okta-jwt-verifier-java: okta-jwt-verifier-java
- Audience: api://default
- Issuer: https://(domain).okta.com/oauth2/default
On the client, I use io.jsonwebtoken:jjwt-api#0.10.7 to create the token:
String jwt = Jwts.builder()
.setAudience("https://(domain).okta.com/oauth2/v1/token")
.setIssuedAt(Date.from(now))
.setExpiration(Date.from(now.plus(5L, ChronoUnit.MINUTES)))
.setIssuer("(client_id)")
.setSubject("(client_id)")
.setId(UUID.randomUUID().toString())
.signWith(privateKey)
.compact();
The private key is the same as I have created in the first step.
I checked the resulting token on https://jwt.io/ and when inserting the public key, it shows “Signature verified”, so I assume that the token is correct.
However, when I send the token to the server, I get this error message:
java.lang.IllegalArgumentException: A signing key must be specified if the specified JWT is digitally signed.
My assumption is that there is something wrong in the Okta configuration.
The endpoint https://(domain).okta.com/oauth2/default/v1/keys does not include the key that I used when creating the new client.
https://(domain).okta.com/api/v1/apps/(client_id)/ shows the key perfectly well in the jwks section.
How can I get my jwks key into the oauth2/default/v1/keys list? Or is there something else I need to do?
Thanks for your help!