Okta - Error while resolving signing key for kid

Hi, I have such auth middleware at my node js rest api. When I try make simple GET request by Postman I receive an error - “error”: “Error while resolving signing key for kid “uGvTniLM9U6u1Odb-ZG80vlyYoUOdItjRLextcwiFzo””. Can you advise me how solve it

const OktaVerifier = require(’@okta/jwt-verifier’)

const oktaVerifier = new OktaVerifier({
issuer: process.env.ISSUER,
assertClaims: { aud: ‘api://default’, },
})

module.exports = async (req, res, next) => {

try {
    const {authorization} = req.headers

    if (!authorization) throw new Error('You must send an Authorization header')

    const [authType, token] = authorization.trim().split(' ')

    if (authType !== 'Bearer') throw new Error('Expected a Bearer token')

    const {claims} = await oktaVerifier.verifyAccessToken(token)

    if (!claims.scp.includes(process.env.SCOPE)) {

        throw new Error('Could not verify the proper scope')
    }

    next()
}

catch (err) {

    next(err)
}

}

What is your issuer?

https://dev-204698.oktapreview.com/oauth2/default

https://developer.okta.com/blog/2018/08/21/build-secure-rest-api-with-node - i try like in this article but whithout writing a client

@robertjd would have a better idea then me.

@robertjd can you consider my question may be have a good idea what the problem is there?

I have the same problem too. I have used the same issuer both in client and server. the key id in the error is the same as the kid in /v1/keys. I have also tried creating a new authorization server, but still the error persists. can anyone help?

Issuer URL OKTA: ‘https://dev-868765.oktapreview.com/oauth2/ausmz6fx8sjV3W2PX0h7
OKTA Verifier :
const oktaJwtVerifier = new OktaJwtVerifier({
issuer : ‘https://dev-868765.oktapreview.com/oauth2/ausmz6fx8sjV3W2PX0h7/v1/authorize

});

I have the Same issue. Below is my access token
Authorization:Bearer eyJraWQiOiJRWWZqQU4xTFFrWFFLNWdieUpva08zZkJuUzdQdHdzQ1FwQ0Jzd3l5MXBRIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVnbmFlbHllODBndjgzMjBoNyIsIm5hbWUiOiJQb3dlciBCaSBVc2VyIiwiZW1haWwiOiJva3RhX3Bvd2VyYmlAZ3V5Y2FycC5jb20iLCJ2ZXIiOjEsImlzcyI6Imh0dHBzOi8vZGV2LTg2ODc2NS5va3RhcHJldmlldy5jb20vb2F1dGgyL2F1c2cxYTZhb2ExRDdpZ1VUMGg3IiwiYXVkIjoiMG9hZzE3YzZ4YU1pUXBnM3UwaDciLCJpYXQiOjE1NjU4ODA0MTMsImV4cCI6MTU2NTg4NDAxMywianRpIjoiSUQuT0pILWhVZEpTWVN4bzdFUlpMMWRSRFRYb0xIQllZVXRuYTZmYXEyNWRNcyIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZGZtM2Z2aXByWWVkd00waDciLCJub25jZSI6ImpnUDJqWXhWQ0xQRGdKRER3aTJ3ZFFzNWI2RkdXSlpsa01nYUpCOU1nMlUxRG9rQjNXVUl5UEFWckUxSW5aR1kiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJva3RhX3Bvd2VyYmlAZ3V5Y2FycC5jb20iLCJhdXRoX3RpbWUiOjE1NjU4ODA0MTIsImF0X2hhc2giOiItNWwxa0FVWU1wWnZGZ052c09OMm1BIn0.FwwsprtYNkPF3nEan3u8x_JB2TjPtHgOSRZWLUnROSUMHOqKSaE26nhwYbegeOo5AywW3ynUG0KrUkCwGRAi6weld-xV4w-P6289EIgMhUBbVEr22zq5SL-kw_ZJZb-t5jIri9kwANSW4WIzJuC3pkFaZm1g2rI41VjyRjh7lwGjD8R4XwFesJrKI9IjLina9Ysbcso562lkvAwDJ9-ktEjwhutbylMuihnfMU5hXzPlk4vY3CuZSH-pSH-ow-j9TWz_Lpow6XLXa-nqJQ0c87_dShLrjGhG4yLvsohh8eP2tIYp0MW7fzsp5jpZ1_nrqBD9SOBudkv17QAI19FYqg

Error :
{
“name”: “JwtParseError”,
“userMessage”: “Error while resolving signing key for kid “QYfjAN1LQkXQK5gbyJokO3fBnS7PtwsCQpCBswyy1pQ””,
“message”: “Error while resolving signing key for kid “QYfjAN1LQkXQK5gbyJokO3fBnS7PtwsCQpCBswyy1pQ””,

Please response me, if any correction needed. it was working fine last 4 months before.

In case anyone else ends up here, I resolved this error by ensuring that the issuer was the same in both my front-end app and in the auth middleware. Mine were different, and when I made them the same, the error went away.

1 Like

I am also facing the same error while resolving signing key for kid. It works if I use developer account of Okta but give me same issue if I use my company okta account

You are likely seeing this error if your company Org lacks the API Access Management feature. This feature is turned on for POC purposes in all Developer Orgs, but as I mentioned, it likely not enabled in your paid org. This feature is necessary if your application is using a custom authorization server, such as the one called Default; OAuth use cases, where a resource server is protected via access tokens minted by Okta require the use of custom authorization servers. This limitation is also discussed in the following KB article: Signature Validation Failed on Access Token

If this is a use case you would like to support, I’d recommend reaching out to your Okta account manager to discuss it further.