Unable to authenticate token with JWK set

Hello There,

We are facing a strange issue while authenticating.

When we authenticate from our dev-XXXX-admin.okta.com account, then we a re able redirect back to our application (running on https://).
But when we configure actual URL provided by client, then we are getting below error.

WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Server Logs:

2019-08-21 06:17:24.717 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 --- [-nio-443-exec-3] o.s.s.a.ProviderManager                  : Authentication attempt using org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider
2019-08-21 06:17:24.717 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 --- [-nio-443-exec-3] o.s.w.c.RestTemplate                     : HTTP GET https://averydennison.okta.com/oauth2/v1/authorize/v1/keys
2019-08-21 06:17:24.718 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 --- [-nio-443-exec-3] o.s.w.c.RestTemplate                     : Accept=[text/plain, application/json, application/*+json, */*]
2019-08-21 06:17:24.895 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 --- [-nio-443-exec-3] o.s.w.c.RestTemplate                     : Response 404 NOT_FOUND
2019-08-21 06:17:24.900 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 --- [-nio-443-exec-3] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2019-08-21 06:17:24.900 [https-jsse-nio-443-exec-3] DEBUG ip-172-31-15-102 --- [-nio-443-exec-3] .o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found

https://github.com/okta/okta-spring-boot (followed this reference code)
Am not able to find out actual root cause.

We are using Angular-8 and Spring Boot-2.x.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
	    http.cors().and().authorizeRequests().anyRequest().authenticated().and().oauth2ResourceServer().jwt();
	}
}

application.properties:

oktaOrgUrl=https://averydennison.okta.com
oktaApiToken=<api-token>
okta.oauth2.issuer=https://averydennison.okta.com/oauth2/v1/authorize
okta.oauth2.redirect-uri=/implicit/callback
okta.oauth2.audience=api://default
okta.oauth2.client-id=0oa1hhdpgukI7pNl90h8
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://averydennison.okta.com.okta.com/oauth2/0oa1hhdpgukI7pNl90h8/v1/keys

Hey @gagan_shah!

It looks like your issuer is wrong, it should likely be:
https://averydennison.okta.com/oauth2/0oa1hhdpgukI7pNl90h8
(based on your other config)

I’m guessing based on your question you only need the properties:

  • oktaOrgUrl
  • oktaApiToken
  • okta.oauth2.issue

You can also inject the SDK client as well: https://github.com/okta/okta-spring-boot#inject-the-okta-java-sdk

NOTE: you included your API key, in this post, you should revoke it