JWT tokens are always invalid


I am building an application that consists of three parts: a Spring Boot resource server, a single page application that communicates with the resource server and Okta as an authorization server. The SPA should get a token with the implicit flow and use it as a HTTP Authorization Bearer token to authenticate with the resource server. The resource server should verify the token with Okta using the /introspect endpoint.

There is an Okta application for each component (resource server and SPA) with seperate client credentials. Both applications are enabled for the authorization server api://default.

When I use a token to authenticate on my resource server I always get a 401 unauthorized. I thought my implementation was wrong but when I manually check the /introspect endpoint I always get {"active": false}.

Has anybody had similar issues?

Are you using the same Issuer for both applications?

If you paste your token into something like: https://www.jsonwebtoken.io/ what does it look like?
(If you paste it here obfuscate the sensitive bits (IDs, emails, etc)

I think I am but I am not a 100% sure. The Issuer for my Okta Authorization Server is https://dev-xxxxxx.oktapreview.com/oauth2/default. In the SPA it’s the same. I don’t think I need to configure it on my Resource Server because it already is in the token. Is this correct?

When I paste the token into jwt.io I can see the claims but it says that the signature is invalid. Here is the token:

    "kid": "kid",
    "alg": "RS256"

  "sub": "my okta user id",
  "name": "my okta user name",
  "email": "my okta email",
  "ver": 1,
  "iss": "https://dev-xxxxxx.oktapreview.com/oauth2/default",
  "aud": "my single page application client id",
  "iat": 1531925439,
  "exp": 1531929039,
  "jti": "unique id",
  "amr": [
  "idp": "idp id",
  "nonce": "unique id",
  "preferred_username": "my preferred okta user name",
  "auth_time": 1531901458,
  "at_hash": "hash",
  "groups": [


You will still need configure the resource server with the right issuer. Even though the issuer is in the token, the resource server can only ensure that it is correct by comparing it with the right issuer.
Not sure if you’re using Okta’s spring resource server sample. But if you are you have to pass the issuer while starting the resource server like this -

cd resource-server
mvn -Dokta.oauth2.issuer=https://{yourOktaDomain}/oauth2/default

Source - https://github.com/okta/samples-java-spring/tree/master/resource-server

I am trying to do the verification of the token not on the resource server itself but remotely by sending it to https://{yourOktaDomain}/oauth2/default/introspect. As far as I understand this endpoint should be able to verify the token so my resource server can be sure that it is valid. But when I send the token for verification it is always rejected.

I thought it would work as it is described here: https://developer.okta.com/authentication-guide/tokens/validating-access-tokens#validating-a-token-remotely-with-okta

By the way I am not using the Spring Okta Starter. I am using the default OAuth2 Spring library because I want to be able to swap out identity providers (for example Keycloak, Google, etc).

I changed the issuer in the SPA to the correct URL but it was still cached in the browser. Thanks!

1 Like