JWT token always has invalid signature

Hello, I am creating a custom app with Okta authentication.

Everything works fine with a dev okta account, but when I use my org’s okta it doesn’t, it always fails with the "Error while resolving signing key for kid " error.

What I noticed by debugging any token generated by my organization in jwt.io is that they ALWAYS have invalid signature.

Also the issuer doesn’t have the /oauth2/default which I thought would always be there. How is that possible?

Hi, @danielcosta

It appears that your application is using the org auth server rather than a custom authorization server. If the issuer is just the org domain and does not have /oauth2/default, that will be the org authorization server. An issuer including /oauth2/default would be referring to the default custom authorization server, which is available with the API Access Management feature. Please refer to this document: Authorization Servers | Okta Developer

If you are using the org authorization server and debugging the access token in jwt.io, you will see the invalid signature message, as per this support article.

Please let me know if you have any further questions.


Thank you, let me see if I got this straight.

From Authorization Servers | Okta Developer I see this

Additionally, the resulting access token’s issuer is https://${yourOktaOrg} , which indicates that only Okta can consume or validate it. The access token can’t be used or validated by your own applications.

Does that mean I can’t validate the token at all in the server side?

My scenario is the following:

I have a Node JS server using @okta/jwt-verifier library, I created an application in Okta which makes a request to this Node JS server, in this server I am using the jwt-verifier to validate the token and then move on with the protected features.

If I can’t validate this kind of token with the jwt-verifier, what should be the correct way of ensuring the security on this server? Is there an okta api that I should call passing the token forward?

I considered just calling an Okta API to validate the token, but then that wouldn’t validate the client id.

You can validate the token remotely with the /introspect endpoint. Please refer to this documentation.

1 Like