Unable to resolve key for token signature

I am newbie to the okta and trying get the authorizer , sorry if this is silly question,

I have the authorizer created on okta as
audience : api://default
issuer : https://myarc.oktapreview.com/oauth2/
Signing key rotaion : automatic
added sub and groups as claim and one scope variable.

I have created web application with client_credentials enabled and generating the token for this app passing in the client credentials assigned to this and using basic auth method.

then trying to pass in this token to my api gateway lambda authorizer which uses the okta authorizer created above using oauth2-bearer-jwt-handler’. provided additional details as below on how the server side specifying the urls.

  1. Which tool/library are you using to validate the access token - using require(‘oauth2-bearer-jwt-handler’).JwtTokenHandler;

  2. What is the issuer URL that you have set? It should be of the form - generating the token at the client as : https://myarc.oktapreview.com/oauth2//v1/token (using client_credentials and basic auth)
    and at the server it is mentioned as https://myarc.oktapreview.com/oauth2/ as oauth validation

  3. Which /keys endpoint are you invoking? - 'https://myarc.oktapreview.com/oauth2/ /v1/keys`

  4. audience is set api://default on both while generating the token and on authorizer lambda.

when I make request to this authorizer it is failing to execute theverifyRequest method on handler with the following error:
2020-02-26T18:06:22.644Z 66a9e7be-ae94-41ba-a1eb-eca52b3c1fce INFO ipa-node-lambda-api-authorizer Failed to validate bearer token { BearerTokenError: Unable to resolve key for token signature
at self._keyResolver.getSigningKey.then.catch.err (/var/task/node_modules/oauth2-bearer-jwt-handler/lib/jwt-token-handler.js:265:19)
at process._tickCallback (internal/process/next_tick.js:68:7)
realm: ‘api://default’,
errorCode: ‘invalid_token’,
name: ‘BearerTokenError’,
message: ‘Unable to resolve key for token signature’,
challenge:
‘Bearer realm=“api://default”, error=“invalid_token”, error_description=“Unable to resolve key for token signature”’,
statusCode: 401 }

Lambda authorizer code:
const JwtTokenHandler = require(‘oauth2-bearer-jwt-handler’).JwtTokenHandler;
const AuthPolicy = require(’./auth-policy’);
const fs = require(‘fs’);

const jwtTokenHandler = new JwtTokenHandler({
issuer: process.env.ISSUER,
audience: process.env.AUDIENCE,
jwks: process.env.URL
});

console.log(‘Loading function’);

exports.handler = function (event, context, callback) {
console.log(c+" Starts");

console.log(c+' Client token: ' + event.authorizationToken);
console.log(c+' Method ARN: ' + event.methodArn);

console.log("issuer :"+ process.env.ISSUER);
console.log("audience :"+ process.env.AUDIENCE);
console.log("jwks : "+ JSON.stringify(jwtTokenHandler.jwks));

// validate the incoming token
// and produce the principal user identifier associated with the token
jwtTokenHandler.verifyRequest({
    headers: {
        authorization: event.authorizationToken
    }
}, function (err, claims) {
    console.log('claims: ');

    console.log(c+" "+claims);
    if (err) {
        console.log(c+' Failed to validate bearer token', err);
        return callback("Unauthorized", null);
        ;
    }

    var principalId = Array.isArray(claims.sub) && claims.sub.length > 0 ? claims.sub[0] : JSON.stringify(claims.sub);
    console.log(c+' request principal: ' + principalId);
    // if the token is valid, a policy must be generated which will allow or deny access to the client
    // build apiOptions for the AuthPolicy

If you are using the Org Authorization server, https://{{org}}.okta.com, you will not be able to locally validate access tokens generated by it as the keys found at the keys endpoint, https://{{org}}.okta.com/oauth2/v1/keys, will not match the keys present in the token. You can find more information about this here: Signature Validation Failed on Access Token

For your use case, you will want to ensure you’re using a custom authorization server to generate tokens so that you can validate them, such as the /default one generated for you that you appear to have (make sure you update all the endpoints to point to it): https://myarc.oktapreview.com/oauth2/default/.well-known/openid-configuration

Thanks for your Andreaskouras. We are using the custom authorizer on the okta. this is what our authorizer server details are:
Name : IPA TA Auth Server
Audience: api://default
Issuer: https://myarc.oktapreview.com/oauth2/
Metadata URI: https://myarc.oktapreview.com/oauth2//.well-known/oauth-authorization-server

and on the client side api authorization I am using the following urls which seems to matching urls found in the metadata uri:
ISSUER=“https://myarc.oktapreview.com/oauth2/auspwy30cr2usLxxxxxx
AUDIENCE=“api://default”
URL=“https://myarc.oktapreview.com/oauth2/auspwy30cr2usLxxxxxx/v1/keys

but seeing this issue still, not sure what I am missing.

For your default Auth Server, the following should be the correct values:
Issuer: https://myarc.oktapreview.com/oauth2/default
Metadata URI: https://myarc.oktapreview.com/oauth2/default/.well-known/oauth-authorization-server

Your application should point to the associated Issuer, Audience, and Keys endpoint as listed in the Metadata uri above. I’m a bit confused because the first section you mention that the audience is api://default, which implies you are using the default server, but the paths in the bottom section has a different Authorization Server ID in them, auspwy30cr2usLxxxxxx.

only audience is api://default, but the issuer and metadata uris that posted for the authorizer has the same authorizer id that I am using it on the api authorizer lambda code.

Issuer: https://myarc.oktapreview.com/oauth2/
Audience: api://default
|Metadata URI:|https://myarc.oktapreview.com/oauth2//.well-known/oauth-authorization-server

looks like the post is removing the authorizer id from the uris that I posted, but it has the same authorizer id that I am using on the lambda code side. I have masked last 6 character of the ID

switching jwt-verifier the issue got resolved, looks jwt-oauth2 library I was using earlier does not support client credentials method.