OIDC Token Signature Validation Fails

Followed the Okta instructions for getting the JSON Web Key(s) for my client. However, token validation fails with a signature validation exception.

Per the JWK Spec one of the keys have a “use” of verify. The ones Okta returns are all sig. I also tried getting the validation key from the authentication server via your dashboard. The key is that same as the one from the JWK endpoint.

What’s the correct way to get the validation key to validate the JWT returned from the token endpoint?

What language are you using? We have some libraries for JWT verification.

I followed the Spring Java tutorial. I’m familiar with OIDC and this doesn’t work with other libraries.

Which tutorial? Here’s a Java library we have for verifying JWTs: https://github.com/okta/okta-jwt-verifier-java

I managed to get it to work using okta-jwt-verifier, though the audience verification seems to be wrong. I had to enter the client ID rather than the audience value.

	JwtVerifier jwtVerifier = new JwtHelper().setIssuerUrl(issuerUrl).setAudience(clientID).build();

The value for the audience field on my AS is set to “all”. Is this a known issue or am I suppose to use the client ID ?


Oscar what type of Token are you validating? ID or Access?

I’m validating the id_token returned from the Token endpoint.

OK, the audience for a id_token is the client Id. You can use a tool like https://www.jsonwebtoken.io/ to view the token.

Are you using the decodeIdToken() method ?

I was able to retrieve the claims using the decodeAccessToken() method, I´ve replaced it with decodeIdToken() passing along the nonce param and it works.

I’ve also got it to work using the JJWT library (https://github.com/jwtk/jjwt):

RSAKey rsaKey = new RSAKey.Builder(new Base64URL(n), new Base64URL(e)).build();
RSAPublicKey publicKey = rsaKey.toRSAPublicKey();

	catch (SignatureException ex)

‘n’ (modulus value of Public Key) and ‘e’ (exponent value of the Public key) are retrieved from the keys endpoint, the ‘kid’(key ID) should match the one in the id_token.


1 Like