KID in id_token header not matching kid in metadata


#1

When I request a token and ID token the kid claim in the header does not match the key ids in the /keys endpoint response. However, when I request a token preview from the admin interface the kid in the header matches as expected. I’m calling the token endpoint using the JavaScript library. Is there a way I need to decode the key id? Do I need to call the token endpoint a special way to get the right key id in the id_token header?


#2

Hi,

I just went through this… and it took me 2 days to figure it out. If you don’t specify an authorizeUrl in your config it defaults to a bad address. Let me know if you are still stuck after trying this, I ran into a couple other finicky settings.

Here is my initialization that is broken:

var config = {url:‘https://daveokta.xxx.com’, clientId:‘xxxxxxxxxx’, redirectUri:‘https://daveokta.xxx.com’, issuer:‘https://dev-617002.oktapreview.com/oauth2/default’};
config.authParams = {issuer: ‘https://dev-617002.oktapreview.com/oauth2/default’, responseType: [‘token’],display:‘page’, nonce: ‘xyzxyzxyzxyz’};
authClient = new OktaAuth(config);

Here is my initialization that fixed it:

var config = {url:‘https://daveokta.xxx.com’, clientId:‘xxxxxxxxxx’, redirectUri:‘https://daveokta.xxx.com’, issuer:‘https://dev-617002.oktapreview.com/oauth2/default’};
config.authParams = {issuer: ‘https://dev-617002.oktapreview.com/oauth2/default’, responseType: [‘token’],display:‘page’, nonce: ‘xyzxyzxyzxyz’};
config.authorizeUrl = ‘https://dev-617002.oktapreview.com/oauth2/default/v1/authorize’;
config.userinfoUrl = ‘https://dev-617002.oktapreview.com/oauth2/default/v1/userinfo’;
authClient = new OktaAuth(config);


#3

I think the issuer of the token might be different than the endpoint you are checking for the keys?

Can you post your configuration and the endpoint you are checking for the keys?


#4

Thanks! I came across this answer: https://stackoverflow.com/questions/50646306/okta-validating-jwt-token-using-public-keys-from-openid-connect-config/50681591. But, I wasn’t quite sure how to configure the issuer until Dave’s post. Seems like that must be the issue. I’ll try that out.

UPDATE:
So all I did was add the issuer key/value to the config object and it seems to work fine now. Thanks again!


#5

It is critically important to set the issuer in the client side configuration on your oktaAuth object to the same one used in your server side. I was setting mine client side (React) in the Security component, but I was not setting it in the oktaAuth object. This was the fix!

const configSettings = {
  url: props.baseUrl,
  clientId: config.client_id,
  redirectUri: config.redirect_uri,
  issuer: config.issuer,
};
this.oktaAuth = new OktaAuth(configSettings);