I have a SPA application that uses okta-vue to redirect the user to the Okta login page and then gets a redirect back with token details.
This all seems to be working correctly. My application then calls Vue.prototype.$auth.getAccessToken() to get an access token, and then adds this to the request header for a call to my REST api.
On the REST server (Flask/Python), I see the call come in, unpack the request header and decode the token using a JWT library, however I am unable to verify its integrity. I can see the following information (content in curly brackets redacted):
From what I can tell from the examples I’ve found, a ‘kid’ identifier should be mandatory in the token, but is missing in my case.
Does anyone know why the ‘kid’ attribute is missing?
To verify the integrity of the token, I believe I’m then meant to use the Okta public keys to do a RS256 decode, but this decode is always failing with an exception “Expecting a PEM-formatted key” which I have guessed is related to the missing ‘kid’ attribute, but any other suggestions welcome.
The issuer URL I set before the authentication call to Okta does end in oauth2/default already, it’s full form being:https://{my domain}.okta.com/oauth2/default
Since my post last night I have made some progress, namely that I realised that I needed to convert the public key from the format provided by the /keys call to a PEM format. For anyone with the same problem, here is example code I found to make that conversion: [https://github.com/jpf/okta-jwks-to-pem/blob/master/jwks_to_pem.py](http://jwks to pem)
As it happens, the Okta server /keys call only returns one key, and if I use that key to verify the token I get a pass. So that’s a success and it proves that the access token I’ve received into my SPA application and passed to my application server is well formed, albeit missing a ‘kid’ attribute.
So in a sense I can move forward, however it remains strange that I am not getting a ‘kid’ in the access token as referenced in all the examples I’ve seen, which means I cannot look up which public key to use (in the event more than one public key is supplied by the /keys call)
The ‘kid’ identifier is located in the token header, not in the payload. Using the PyJWT library, use get_unverified_header() to extract the header from the access token and retrieve the ‘kid’.