Protect php endpoints parseKeySet() error

I’m following the Protect your API endpoints - PHP guide.

I’m getting an error at this line:
$decoded = \Firebase\JWT\JWT::decode($accessToken, $keys);

The error is:
Fatal error: Uncaught TypeError: Firebase\JWT\JWK::parseKeySet(): Argument #1 ($jwks) must be of type array, null given, called in /Users/[redacted]/Local Sites/mywpsite/app/public/wp-content/themes/install-guides/vendor/firebase/php-jwt/src/CachedKeySet.php on line 152 and defined in /Users/[redacted]/Local Sites/mywpsite/app/public/wp-content/themes/install-guides/vendor/firebase/php-jwt/src/JWK.php:48

my hasValidAccessToken function:

function hasValidAccessToken() {
  // Require an access token is sent in the HTTP Authorization header
  if(!isset($_SERVER['HTTP_AUTHORIZATION']) || strlen($_SERVER['HTTP_AUTHORIZATION']) === 0) {
    return false;
  $accessToken = explode(' ', $_SERVER['HTTP_AUTHORIZATION'])[1];
  $keys = getJWKS();

  try {
    $decoded = \Firebase\JWT\JWT::decode($accessToken, $keys);
  } catch(\Exception $e) {
    echo $e->getMessage()."\n";
    return false;

  // Check the audience and issuer claims

  if($decoded->iss != OKTA_OAUTH2_ISSUER)
    return false;

  if($decoded->aud != OKTA_AUDIENCE)
    return false;

  return $decoded;


function getJWKS() {
  $httpClient = new \GuzzleHttp\Client();
  $httpFactory = new \GuzzleHttp\Psr7\HttpFactory();
  $cacheItemPool = \Phpfastcache\CacheManager::getInstance('files');

  $jwksUri = OKTA_OAUTH2_ISSUER.'/v1/keys';

  $keySet = new \Firebase\JWT\CachedKeySet(
      300,  // $expiresAfter int seconds to set the JWKS to expire
      true  // $rateLimit    true to enable rate limit of 10 RPS on lookup of invalid keys

  return $keySet;

I’ve dumped my env variables, and they are showing what seems like the correct settings:


I’ve stuck pretty close to the guide. Does anyone know what might cause a null argument to be passed there? What should be my next steps for troubleshooting?

It sort of sounds like the JWKS weren’t fetched. Can you tell if the network call to the JWKS endpoint is succeeding/occurring in your environment?

1 Like

Yes, that was the problem. The issuer in my config didn’t include the protocol:

Thanks for your help.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.