JWTValidationException: No matching JWK

I searched and couldn’t find any previous question on this, so perhaps someone can help?

I created an Okta dev account, cloned the samples-python-flask repo and tested the okta-hosted-login example code. Worked perfectly!

Now I copy almost the same code into my Django app and I now get JWTValidationException: No matching JWK when running is_access_token_valid.

The code for is_access_token_valid was taken from the sample and is exactly the same in both Flask and Django, so I’m guessing it is something to do with configuration? I know next to nothing about JWT, so any help would be appreciated. Thanks!

I checked the tokens from the good and bad requests and they are subtly different.

Here’s the good token:

{'kid': 'xxxxx', 'alg': 'RS256'}, {'ver': 1, 'jti': 'xxx', 'iss': 'https://dev-03272826.okta.com/oauth2/default', 'aud': 'api://default', 'iat': 1631801240, 'exp': 1631804840, 'cid': '0oa1o8zm8ohd0d1XN5d7', 'uid': '00u1o9md1mWz8l7yM5d7', 'scp': ['profile', 'openid', 'email'], 'sub': 'alice@example.com'}, 

and here the bad one:

{'kid': 'xxxxx', 'alg': 'RS256'}, {'ver': 1, 'jti': 'xxx', 'iss': 'https://dev-03272826.okta.com', 'aud': 'https://dev-03272826.okta.com', 'sub': 'alice@example.com', 'iat': 1631801645, 'exp': 1631805245, 'cid': '0oa1o8zm8ohd0d1XN5d7', 'uid': '00u1o9md1mWz8l7yM5d7', 'scp': ['openid', 'email', 'profile']},

What’s interesting is that iss and aud are different in the two tokens. I am calling the authorization_endpoint with exactly the same params, and during validation I am passing in the full issuer (https://dev-03272826.okta.com/oauth2/default) to okta_jwt_verifier.AccessTokenVerifier in exactly the same way. I’m not sure what’s going on.

You cannot complete local token validation for an access token issued by the Org Authorization Server (“iss” = https://org.okta.com). Details here: Okta Help Center (Lightning)

2 Likes

Thanks for the response. I should be clear that I am just doing authn using OIDC, not doing any authz. I’m trying to understand why the OIDC example code from the Okta samples-python-flask repo worked perfectly, but similar code in Django failed.

It seemed like Django was attempting to validate the access tokens, which won’t work if the token was issued by the Org Authorization Server, whether or not you were trying to.

Were you able to check and see if you can get the Django app to instead request tokens from the Default AS instead? When the /authorize call goes out, is it being made to https://dev-03272826.okta.com/oauth2/default/v1/authorize or is it going to https://dev-03272826.okta.com/oauth2/v1/authorize?