I want to use Okta as the back end authentication mechanism for an API I am writing with GoLang (using the Echo framework).
So I want to
Issue an API user an authentication token (JWT)
Allow the user to authenticate to the API using this token and have Okta verify that token
I thought the following API endpoints would help me do this
{{url}}/oauth2/default/.well-known/oauth-authorization-server
I would grab the jwks_uri from the returned object
Make a request to the keys endpoint
{{url}}/oauth2/default/v1/keys
Do I use the key(s) in this response to sign a JWT ?
Maybe my question is all wrong here . Any tips or guidance would be greatly appreciated.
The endpoint you mention, {{url}}/oauth2/default/.well-known/oauth-authorization-server, is a for document listing all the endpoints used when/for Okta to issue a JWT token. Your API shouldn’t be creating the JWT, and instead Okta would be issuing the token and then your API would check the JWT it received to determine if its valid for accessing the requested resource.
Details about token validation and what the /keys endpoint is used for found here: Overview | Okta Developer
That’s right, the keys endpoint includes only the public key. We do not and will not show a private key at this endpoint and will only use the private keys internally to sign the token.
Are you asking how to validate a token issued by /default/v1/token? If so, you can view the header and payload of a JWT string using a tool like token.dev or jwt.io to see what kid is in the token. The ‘kid’ in the JWT should match one of the keys returned from the /keys endpoint.