Timeout error when decode the access token #questions:oauth-oidc

Hi All,

We are using Okta jwt SDK for decoding the access token but getting the below error in the client environment where the application is installed with HTTPS. Locally SDK is working as expected and decoding the token.

com.okta.commons.http.HttpException: Unable to execute HTTP request - retryable exception: Read timed out
at com.okta.commons.http.okhttp.OkHttpRequestExecutor.executeRequest(OkHttpRequestExecutor.java:167) ~[okta-http-okhttp-1.3.3.jar:1.3.3]
at com.okta.commons.http.RetryRequestExecutor.doExecuteRequest(RetryRequestExecutor.java:147) ~[okta-http-api-1.3.3.jar:1.3.3]
at com.okta.commons.http.RetryRequestExecutor.executeRequest(RetryRequestExecutor.java:120) ~[okta-http-api-1.3.3.jar:1.3.3]
at com.okta.jwt.impl.http.OktaCommonsHttpClient.get(OktaCommonsHttpClient.java:54) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.updateKeys(RemoteJwkSigningKeyResolver.java:89) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.getKey(RemoteJwkSigningKeyResolver.java:81) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]
at com.okta.jwt.impl.jjwt.RemoteJwkSigningKeyResolver.resolveSigningKey(RemoteJwkSigningKeyResolver.java:56) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]
at com.okta.jwt.impl.jjwt.IssuerMatchingSigningKeyResolver.resolveSigningKey(IssuerMatchingSigningKeyResolver.java:52) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:355) ~[jjwt-impl-0.11.5.jar:0.11.5]
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:529) ~[jjwt-impl-0.11.5.jar:0.11.5]
at io.jsonwebtoken.impl.ImmutableJwtParser.parse(ImmutableJwtParser.java:153) ~[jjwt-impl-0.11.5.jar:0.11.5]
at com.okta.jwt.impl.jjwt.TokenVerifierSupport.decode(TokenVerifierSupport.java:81) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]
at com.okta.jwt.impl.jjwt.JjwtAccessTokenVerifier.decode(JjwtAccessTokenVerifier.java:56) ~[okta-jwt-verifier-impl-0.5.7.jar:0.5.7]

Do you have a custom truststore? Are you able to make any API calls to Okta from this machine successfully?

Thank you for the response @andrea.We asked the IT team to make the open connection for all the Okta domain URLs, so from that machine, I am able to log in to the dashboard, from the native application when trying to decode the token, it gives the above error. I believe that for the decoding the token, JWT SDk refer the issuer URL

Yeah, it should be (eventually) hitting the https://oktaDomain/oauth2/{{authorizationServerId}}/v1/keys endpoint.

Just to confirm, the Issuer of this token (iss claim within it), is it just your OktaDomain or does it end with something like /oauth2/default or /oauth2/aus123456789?

Hello @andrea , Yes we are using issuer with /oauth2/default. Is there any issue with default ?

Nope, it should be fine, I just wanted to double check that you’re using a custom authorization server like default.

Can you confirm that the application does manage to make an API call to https://oktaDomain/oauth2/default/v1/keys? Or is it timing out or otherwise encountering an issue when making that request?