The JWT verifier library will not work if you are using the Org Authorization Server, issuer = https://${yourOktaDomain}. You must use a Custom Authorization Server instead, issuer = https://${yourOktaDomain}/oauth2/${authorizationServerId}, otherwise the ‘kid’ at the /keys endpoint will not match the one in the token and this library may not work correctly with the Org server in general as it is not designed to
PHP Notice: Trying to get property ‘jwks_uri’ of non-object in /website/TST5_EXT/webapps/okta/vendor/okta/jwt-verifier/src/JwtVerifier.php on line 129
[03-Nov-2021 09:53:24 CST6CDT] PHP Fatal error: Uncaught DomainException: Could not access a valid JWKS_URI from the metadata. We made a call to https://connect.oktapreview.com/oauth2/v1/authorize/.well-known/openid-configuration
endpoint, but jwks_uri was null. Please make sure you are using a custom authorization server for the jwt verifier. in /website/TST5_EXT/webapps/okta/vendor/okta/jwt-verifier/src/JwtVerifier.php:130
So the issuer you are currently trying to use is the Org Authorization Server, which is the one that issues access tokens you will not be able to validate. More details about this here: Signature Validation Failed on Access Token | Okta Help Center
In order to validate these tokens, you would need to use a Custom Authorization Server instead, which you may not be able to use in your org as it requires an additional API Access Management license. You’ll know you have the required feature if you can navigate to Security → API → Authorization Servers. This tab will not exist if you do not have this feature and it is where these custom servers can be created and modified.
I am using the /introspect to validate the access token, and that seems to be working well.
I am now struggling a bit to get the /logout endpoint to work as expected.
Actually, I am getting an error (my mistake). the logout endpoint is complaining that I am not providing the client_id, but I have provided the correct value.
{“errorCode”:“invalid_client”,“errorSummary”:“A client_id must be provided in the request.”,“errorLink”:“invalid_client”,“errorId”:“oaeN30gUpZASJqFKxk-dPV9pA”,“errorCauses”:}
Are you providing the id_token_hint as a query parameter to the logout endpoint? Its value will be just the raw JWT string for the user logged in on that browser