Signature validation failure when switching from Okta preview to production

Configuration:
.NET Framework 4.6

Our code is similar to: https://developer.okta.com/blog/2018/08/29/secure-webforms-with-openidconnect-okta.

The app works fine with Okta preview. Preview org url is:
https://dev-129065.oktapreview.com/oauth2/default

When we switch the app over to production with Org url:
https://ourrealdomain.okta-emea.com/oauth2/default

we get the following exception. Any idea what the issue might be?

Exception information:
Exception type: SecurityTokenSignatureKeyNotFoundException
Exception message: IDX10501: Signature validation failed. Unable to match keys:
kid: ‘[PII is hidden]’,
token: ‘[PII is hidden]’.
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.d__9.MoveNext()

Hi @kleinbiker

On the production org, do you have the option to create custom authorization servers? This should be available under Admin >> Security >> API >> Authorization Servers.

I will check with the admins and get back to you on that.

BTW, the exception above is when validating the id_token, not access_token. Isn’t the custom auth servers for the scenario when access_token is used for authorization? For our use case okta.org is sufficient, the only thing we do with the auth_token we get back is call Okta for userinfo.

I saw in another thread (Error: The signature key was not found) where someone was running to similar problems and ended up disabling the validation of the id_token. Wondering whether we have to go down that path.

Anyway will find out about the ability to create custom auth servers.

Thanks.

HI @kleinbiker

Can you please open a support case with developers@okta.com in order to have this issue investigated? On the Okta authorization server, there should not be any problems in gathering the signing keys for ID tokens.

Did you update your keys endpoint within the app?

“jwks_uri”:“https://(yourtenant).okta.com/oauth2/(yourauthzuid)/v1/keys”,