The client_assertion token has an expiration too far into the future?


I have a hivenw2 application which uses the Okta SDK. I created an Okta Application which uses a public/private key to authenticate my hivenw2 application.

The problem: I stopped my Hivenw2 application for a longer period of time (a couple of weeks), at startup I get the error:

Caused by: com.okta.sdk.impl.oauth2.OAuth2HttpException: invalid_client - The client_assertion token has an expiration too far into the future.

Caused by: com.okta.sdk.resource.ResourceException: HTTP 401, Okta null (null)

From the Okta System Log, the reason for the fail is: client_assertion_expires_too_far_in_future.

I couldn’t find anything related to this problem in the documentation, so maybe someone knows what the problem is and can give some solutions?

Thank you.

If your token has expired, it might be expected behavior if it hasn’t been managed correctly (e.g., clearing expired tokens after making requests to your service). Depending on the SDK you’re using, you may need to implement code to address this issue. Reviewing the SDK’s GitHub page can provide insights into the default behavior and how to handle expired tokens.

If the JWT’s expiration time exceeds 60 minutes in the future, Okta will reject it, citing an “invalid_client” error (401). This rejection occurs specifically due to the “client_assertion” token having an expiration that exceeds the acceptable time frame, even by a few seconds, especially when the client machine has a slight time drift ahead.

Its mentioned here that its valid for an hour, maybe this is using expired client token and hence you get this error?

You can read more about token lifetimes for org authorization servers - here Okta Help Center (Lightning)

Let me know if this helps?

1 Like

I totally agree with Krishna, but I want to stress something:

I think your application is caching the token, then when you restart it after the lengthy period of time it’s trying to use the old token before it does anything else. Two options: check the expiration time of the token in the cache to see if it has passed, or make sure you just clear any cached token before you start so you always have to get a new one.