I am trying to use Okta OIDC and PKCE with a Spring Boot REST application using Spring Security. Our front-end UI is authenticating our users with Okta, and is then passing the JWT in the Authorization Bearer token to our backend REST app.
I followed the doc in this link:
My application.yml
looks like this:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://dcsg-hub-dev.okta.com
jwk-set-uri: https://dcsg-hub-dev.okta.com/oauth2/v1/keys?client_id=???
When I call our REST endpoint with a valid token (I verified this by calling the OIDC userinfo
endpoint), I am getting the following error:
Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
I set breakpoints in that code, and for whatever reason, the kid that comes back in the token/JWT from Okta does not match any of the keys that are returned from the call to the Okta jwk-set-uri
.
Any ideas what is wrong?