No KID in token after okta-vue authentication

I have a SPA application that uses okta-vue to redirect the user to the Okta login page and then gets a redirect back with token details.

This all seems to be working correctly. My application then calls Vue.prototype.$auth.getAccessToken() to get an access token, and then adds this to the request header for a call to my REST api.

On the REST server (Flask/Python), I see the call come in, unpack the request header and decode the token using a JWT library, however I am unable to verify its integrity. I can see the following information (content in curly brackets redacted):

{'aud': 'api://default', 
'cid': '{correct client id}', 
'exp': 1558984254, 
'iat': 1558980654, 
'iss': '{correct url}', 
'jti': 'AT.qusQRp2t8lY4HLdK...WS2s6WTP4', 
'scp': ['openid', 'email', 'profile'], 
'sub': '{correct user}', 
'uid': '00um6zfvgBoOCobCg356', 'ver': 1}

From what I can tell from the examples I’ve found, a ‘kid’ identifier should be mandatory in the token, but is missing in my case.

Does anyone know why the ‘kid’ attribute is missing?

To verify the integrity of the token, I believe I’m then meant to use the Okta public keys to do a RS256 decode, but this decode is always failing with an exception “Expecting a PEM-formatted key” which I have guessed is related to the missing ‘kid’ attribute, but any other suggestions welcome.

Ian

Your issuer URL should end in /oauth2/default. If it doesn’t, can you try adding it? You can find your issuer at API > Authorization Servers.

Hi,

The issuer URL I set before the authentication call to Okta does end in oauth2/default already, it’s full form being:https://{my domain}.okta.com/oauth2/default

Since my post last night I have made some progress, namely that I realised that I needed to convert the public key from the format provided by the /keys call to a PEM format. For anyone with the same problem, here is example code I found to make that conversion: [https://github.com/jpf/okta-jwks-to-pem/blob/master/jwks_to_pem.py](http://jwks to pem)

As it happens, the Okta server /keys call only returns one key, and if I use that key to verify the token I get a pass. So that’s a success and it proves that the access token I’ve received into my SPA application and passed to my application server is well formed, albeit missing a ‘kid’ attribute.

So in a sense I can move forward, however it remains strange that I am not getting a ‘kid’ in the access token as referenced in all the examples I’ve seen, which means I cannot look up which public key to use (in the event more than one public key is supplied by the /keys call)

Ian

Right, so issue solved.

The ‘kid’ identifier is located in the token header, not in the payload. Using the PyJWT library, use get_unverified_header() to extract the header from the access token and retrieve the ‘kid’.

Ian