The client JWKSet is invalid

giambattista · March 30, 2021, 11:07pm

Hi everybody,
I’m new here and thanks in advance, any help is very appreciated.
I’m building an hybrid/implicit flow, and when I call /authorize endpoint I’m getting stucked for a very strange error:

error=invalid_request_object&error_description=The+client+JWKSet+is+invalid.

I checked everything and followed the guide here: OpenID Connect & OAuth 2.0 API | Okta Developer

without the request object everything works fine.
Can you help me?

this is an example request,
https://dev-82755834.okta.com/oauth2/v1/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwb2FjZzRpM3ZudHI1blJEdjVkNiIsImF1ZCI6Imh0dHBzOi8vZGV2LTgyNzU1ODM0Lm9rdGEuY29tIiwic2NvcGUiOiJvcGVuaWQgb2ZmbGluZV9hY2Nlc3MiLCJpc3MiOiIwb2FjZzRpM3ZudHI1blJEdjVkNiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic3RhdGUiOiJhc2RmYXNkZmVhc2RmMzNmZiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9zZWN1cml0eS1tcy8iLCJub25jZSI6IjcyYmZjNzBjZTgyIiwiY2xpZW50X2lkIjoiMG9hY2c0aTN2bnRyNW5SRHY1ZDYifQ.USWhAy5js3bew98j6UyvMak1vfJBSGHe3rQK6kLUbfzpVtEOsQZDJzP6j7OBIunnLrm7bdrduSDlgiYMyUjIdZbkoBSEkDhYLnMlJarbwKhg-FL4iEzsRiCrJc1egZ5IwFDQP7HAiDhHLy6AOjjMaoyA6LjeYweZjEaH05VYgNFajXZJhO7X9BKKbuprZNUbnds69aDxlT7y0B0hNmk73f6s5kFdZS4vYPP_FEhXVXSlRqL9-pvlKJ-KK9Q7I3_SLrmkvqjbyCbyzHN9L1et2jub8q1VN-Pkjve7YQ3_PoitzhuUjsmIHczhiH5_Nx936N4x3PYph3WlM_vSRhqjmg

and decoded request:
header {
“typ”: “JWT”,
“alg”: “RS256”
}
payload
{
“sub”: “0oacg4i3vntr5nRDv5d6”,
“aud”: “https://dev-82755834.okta.com”,
“scope”: “openid offline_access”,
“iss”: “0oacg4i3vntr5nRDv5d6”,
“response_type”: “code id_token”,
“state”: “asdfasdfeasdf33ff”,
“redirect_uri”: “http://localhost:8080/security-ms/”,
“nonce”: “72bfc70ce82”,
“client_id”: “0oacg4i3vntr5nRDv5d6”
}
signed with my private key, the public key is correctly stored in jwksuri of openid-configuration

thanks everybody

giambattista · March 30, 2021, 11:08pm

P.S. I tried everything, obviously, also adding mandatory query params etc, but I followed the guide.

dzeller · March 31, 2021, 12:03am

Hi @giambattista, have you registered the public key which corresponds to the private key used to sign the request object within Okta? It should go in the jwks element of your client as described here: Dynamic Client Registration | Okta Developer.

I have created a ticket to improve the documentation in the guide for this.

giambattista · March 31, 2021, 12:07am

Hi dzeller,
Thanks for quick reply, sure, I’ve registered the public key. How can I register again and verify the correct public key is used?

thanks
Giambattista

dzeller · March 31, 2021, 12:10am

You should GET the client via API via Dynamic Client Registration | Okta Developer, update the jwks in the returned object, then PUT it back Dynamic Client Registration | Okta Developer
You can verify that the update succeeded by inspecting the returned object from the PUT request.

giambattista · March 31, 2021, 12:22am

you magician!
thanks a lot, solved my issue, the jwks was NOT properly configured, BUT there is no way to check that, other than manual Curl…

thanks again, very appreciated, in italy (sicily) is late night, 2.20 am.
Giambattista

giambattista · March 31, 2021, 12:32am

To complete the use-case, if I don’t found the public key in https://dev-82755834.okta.com/oauth2/v1/keys, how con I verify the idToken?
followed istruction here
Overview | Okta Developer
the kid doesn’t match now
thanks

dzeller · March 31, 2021, 12:53am

The id_token signing key should certainly be returned by the /keys endpoint. Are you sure you’re not trying to validate the access_token, who’s signing keys will never be returned via /oauth2/v1/keys.

See Authorization Servers | Okta Developer for an explanation of why this is.

giambattista · March 31, 2021, 7:59am

Hi dzeller,
for sure I’m validating idToken, and the keys returned by the /keys endpoint does not match after updating my jwks following your guides. Before updating the keys was matching

thanks
Giambattista

this is an example:
“id_token”: “eyJraWQiOiJ0cGtUQjhzOUlKUnhRLXA3M1RSUGx6ZW5ybGQwdXlqeXJSeC1ZcllPa2FFIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVjM2YxNG1Zb3lOQnNMdzVkNiIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9kZXYtODI3NTU4MzQub2t0YS5jb20iLCJhdWQiOiIwb2FjZzRpM3ZudHI1blJEdjVkNiIsImlhdCI6MTYxNzE1MDk1NiwiZXhwIjoxNjE3MTU0NTU2LCJqdGkiOiJJRC45clFYNFNoOXpDTmY4cDJTa25aVk0yTy1SM0NNVDU0TkZxcTVqamRrekYwIiwiYW1yIjpbInB3ZCJdLCJpZHAiOiIwMG9jM2YxMHJNZEh1WWszWDVkNiIsIm5vbmNlIjoiZmY4ZjE0ZDctOWY4Ni00NDI1LTk1NmYtYmMxZjBhMGZiZWEyIiwiYXV0aF90aW1lIjoxNjE3MTQ2MzAyLCJhdF9oYXNoIjoiM1lXUEpEaWV6ak9PUGNHa0liYVRPUSJ9.Zaj7LQbWdDkjt2UpcBFoC6dlukjuWLPC-_H7WUtelyCE1OGhTznG2x6-y-jHEt0QymHaTPBX3SPdFqv6nv3dmgcxZKiaJTQbm9OdnrRwZiaB_tRbZAeWVsTnDFUMQ6H8NH5PxiPhGGRNjdicCVKMlALy6Wqj8kPPGRGEDkTQ1hTig1Hx5qyav1qj13p9Y4KjS9DnrpnuGQXcRnBkiuQYQWEEKkQNlB7anDdaNYbm6K9-yLS8AzO_4c7Zi_wb_mT1veXIuBIH2ZMY2TDSXvYV43tNqeD6olUzGRyV9Wtie3faSWti8JeflYUXIuwQa9Lyjm99RN6mU347Lq_6cRvrPA”

UPDATE
the keys in /keys endpoint are cached, just now are updated correctly, thanks, everything works fine

system · April 1, 2021, 8:00am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Client authentication 'The client JWKSet is invalid.' Error OAuth/OIDC	4	1227	April 4, 2024
Okta /token endpoint does not follow OAuth2 standard for invalid client_id Questions	3	2310	February 13, 2024
Consumption of JWT OAuth/OIDC	11	1937	February 15, 2024
2 identical jwk_uri in 2 applications, but one throws "Error retrieving the client JWKSet from jwks_uri." Questions	1	2418	February 12, 2024
Invalid_client Error when calling /token endpoint with Okta Sign-In Widget Questions	3	4624	February 12, 2024

The client JWKSet is invalid

Related topics