OAuth2 JWT assertion - 401 unauthorized

mcduser999 · December 10, 2024, 10:16pm

Hello!

I’m having some trouble getting JWT assertions to work in a Spring Boot application for an Okta Open ID application integration.

Note the Spring Boot app works with this same OKTA application using client secret, and works with Entra ID for both client secret and JWT assertions.

However, when I try to authenticate with Okta using a JWT assertion, it returns a 401 unauthorized error message as follows:

org.springframework.web.reactive.function.client.WebClientResponseException$Unauthorized: 401 Unauthorized from POST https://dev-60265957.okta.com/oauth2/default/v1/token

This is the JSON version of the public key, which I upload to the Okta app:

{
“kty”: “RSA”,
“e”: “AQAB”,
“n”: “r9IcVK_9POl3R…”,
“use”: “sig”,
“kid”: “abc”,
“alg”: “RS256”
}

I also validated the JWT assertion against the public key using jwt.io, and it confirms the signature is verified (see image)

Below is the authorization code request, which as I said works fine with client secret:

https://dev-60265957.okta.com/oauth2/default/v1/authorize?client_id=0oaljin739TC
pu5Bu5d7&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fmy_redirect_api&response_type=code&scope=openid%20email%20profile%20offline_access&sso_reload=true&state=aaaa&nonce=bbbb

Any ideas on what I’m doing wrong for the JWT assertion?

Thanks!

mcduser999 · December 13, 2024, 3:31pm

I’ve finally found the solution to this. The problem was that the header of the JWT assertion needs to contain a “kid” field, which needs to match the kid of the public key which is uploaded to the server.

For some reason, this isn’t mentioned in the documentation, or maybe I just missed it.

In fact, the OKTA server does provide helpful error messages, but for some reason they don’t show up in the generated exception in Spring Boot.

I tried a few different things, but the one that worked was to copy the generated JWT into a curl command and call the the API from that.

Here’s an example:

@echo off
REM Set your variables
set CLIENT_ID=0oalji…
set AUTH_CODE=NXNGkZzy1xCg9dVGA58qr9INOpQAuNohKrp6acFO8vQ&
set JWT_ASSERTION=eyJ4NXQi…
set REDIRECT_URI=https://localhost:9444/callback

REM Make the cURL request
curl -X POST https://dev-60265957.okta.com/oauth2/default/v1/token ^
-H “Content-Type: application/x-www-form-urlencoded” ^
-d “grant_type=authorization_code” ^
-d “code=%AUTH_CODE%” ^
-d “redirect_uri=%REDIRECT_URI%” ^
-d “client_id=%CLIENT_ID%” ^
-d “client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer” ^
-d “client_assertion=%JWT_ASSERTION%”

REM Pause to keep the window open and see the output
pause

Post		Replies	Views
Bad Request, when trying to get Access token using JWT token Questions spring , java	4	4190	February 8, 2024
JWT validation in Spring boot failing OAuth/OIDC spring , java	2	7506	November 29, 2022
Resource Server - Invalid Token, Invalid JOSE header error Questions spring , java	2	7397	January 12, 2024
JWT authentication fails / app keys not in /oauth2/default/v1/keys Questions	3	7169	October 15, 2020
OIDC PKCE JWT Key not matching kids from keys endpoint OAuth/OIDC	2	7103	November 13, 2019

OAuth2 JWT assertion - 401 unauthorized

Related topics