OAuth2 JWT assertion - 401 unauthorized

Hello!

I’m having some trouble getting JWT assertions to work in a Spring Boot application for an Okta Open ID application integration.

Note the Spring Boot app works with this same OKTA application using client secret, and works with Entra ID for both client secret and JWT assertions.

However, when I try to authenticate with Okta using a JWT assertion, it returns a 401 unauthorized error message as follows:

org.springframework.web.reactive.function.client.WebClientResponseException$Unauthorized: 401 Unauthorized from POST https://dev-60265957.okta.com/oauth2/default/v1/token

This is the JSON version of the public key, which I upload to the Okta app:

{
“kty”: “RSA”,
“e”: “AQAB”,
“n”: “r9IcVK_9POl3R…”,
“use”: “sig”,
“kid”: “abc”,
“alg”: “RS256”
}

I also validated the JWT assertion against the public key using jwt.io, and it confirms the signature is verified (see image)

validatedJwtImage848×746 81 KB

Below is the authorization code request, which as I said works fine with client secret:

https://dev-60265957.okta.com/oauth2/default/v1/authorize?client_id=0oaljin739TC
pu5Bu5d7&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmy_redirect_api&response_type=code&scope=openid%20email%20profile%20offline_access&sso_reload=true&state=aaaa&nonce=bbbb

Any ideas on what I’m doing wrong for the JWT assertion?

Thanks!

I’ve finally found the solution to this. The problem was that the header of the JWT assertion needs to contain a “kid” field, which needs to match the kid of the public key which is uploaded to the server.

For some reason, this isn’t mentioned in the documentation, or maybe I just missed it.

In fact, the OKTA server does provide helpful error messages, but for some reason they don’t show up in the generated exception in Spring Boot.

I tried a few different things, but the one that worked was to copy the generated JWT into a curl command and call the the API from that.

Here’s an example:

@echo off
REM Set your variables
set CLIENT_ID=0oalji…
set AUTH_CODE=NXNGkZzy1xCg9dVGA58qr9INOpQAuNohKrp6acFO8vQ&
set JWT_ASSERTION=eyJ4NXQi…
set REDIRECT_URI=https://localhost:9444/callback

REM Make the cURL request
curl -X POST https://dev-60265957.okta.com/oauth2/default/v1/token ^
-H “Content-Type: application/x-www-form-urlencoded” ^
-d “grant_type=authorization_code” ^
-d “code=%AUTH_CODE%” ^
-d “redirect_uri=%REDIRECT_URI%” ^
-d “client_id=%CLIENT_ID%” ^
-d “client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer” ^
-d “client_assertion=%JWT_ASSERTION%”

REM Pause to keep the window open and see the output
pause

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.