OIDC PKCE JWT Key not matching kids from keys endpoint

I am trying to use Okta OIDC and PKCE with a Spring Boot REST application using Spring Security. Our front-end UI is authenticating our users with Okta, and is then passing the JWT in the Authorization Bearer token to our backend REST app.

I followed the doc in this link:

My application.yml looks like this:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://dcsg-hub-dev.okta.com
          jwk-set-uri: https://dcsg-hub-dev.okta.com/oauth2/v1/keys?client_id=???

When I call our REST endpoint with a valid token (I verified this by calling the OIDC userinfo endpoint), I am getting the following error:

Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

I set breakpoints in that code, and for whatever reason, the kid that comes back in the token/JWT from Okta does not match any of the keys that are returned from the call to the Okta jwk-set-uri.

Any ideas what is wrong?

Hey Dave,

This is expected behavior when using Okta as the Authorization Server for minting JWT tokens.

In order to validate a token locally (instead of doing it remotely by sending to the /introspect endpoint), you will need to mint the tokens via a Custom Authorization Server, a la https://{{org}}.okta.com/oauth2/{{authorization_server_id}}, instead of using Okta as the Authorization Server, as you are doing in your example (where the issuer is set to your Okta domain). The ability to create a Custom Authorization Server is part of an additional feature (API Access Management) that may or may not be available for your Org.

Here is an article with some more information about why this validation fails locally:
Signature Validation Failed on Access Token

2 Likes