We are developing an OIDC solution using the Okta developer portal and running into issues verifying the JWT that is issued. We are using the default authorization server and have a single app configured. When we receive the JWT, the kid value in the header does not match any of the keys in the jwks_uri. We cannot figure out how this is happening. What could we be doing wrong?
We likely want to confirm exactly which Authorization Server you are using so you can ensure you are using the appropriate keys endpoint.
When you say that you are using the default authorization server, can you confirm if the tokens issued to your application have an iss claim with a value of https://oktaDomain/oauth2/default? Or does it have an iss of https://oktaDomain?
- If the
issfor your token ishttps://oktaDomain/oauth2/default, then the matching JWKS endpoint ishttps://oktaDomain/oauth2/default/v1/keys - If the
issfor your token ishttps://oktaDomain, then the matching JWKS endpoint ishttps://oktaDomain/oauth2/v1/keys
1 Like
Hi @bschell! Hopefully, this video is of use to you: Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations. Here I describe the different authz servers at Okta and common pitfalls.
.
Thanks it looks like we got the issuer set right now and that was our problem. Now we get a valid kid but the verifier still fails saying “unable to locate signature verification key for JWS”. Not sure what is causing that issue now.
What did the issuer wind up being? Was it https://oktaDomain, indicating the token was issued by the Org Authorization Server?
The issuer we are using is https://dev-28810421.okta.com/oauth2/default. I think we got it working now. Once we got the issuer correct we had some other endpoint urls that didn’t match. Thanks for all the help.
1 Like
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.