Unable to verify JWT with Okta JWT Verifier

alex16 · April 19, 2022, 6:53pm

I am trying to verify a JWT token sent from a frontend app using the @okta/jwt-verifier package.I keep getting the below error

JwtParseError: Error while resolving signing key for kid "kp2hms0pqlMsflp34dc"
innerError: Error: unable to get local issuer certificate

The credentials I am using are similar to the below

OKTA_AUDIENCE = 'api://default'
OKTA_CLIENT_ID = '0psnmdjeuti34spl8'
OKTA_ISSUER = 'https://dev-04567220.okta.com/oauth2/default'

const OktaJwtVerifier = require('@okta/jwt-verifier');
const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: OKTA_ISSUER ,
  clientId: OKTA_CLIENT_ID 
});

oktaJwtVerifier.verifyAccessToken(token, OKTA_AUDIENCE )
.then(jwt => {
  // the token is valid (per definition of 'valid' above)
  console.log(jwt.claims);
})
.catch(err => {
  // a validation failed, inspect the error
});

What exactly am I doing wrong ?

erik · April 19, 2022, 7:20pm

It looks like your Okta Org does not have the API Access Management License, therefore the issuer you are using is not active.
https://dev-04567220.okta.com/oauth2/default/.well-known/openid-configuration

The default authorization server is a preconfigured custom authorization that comes with the API AM license.
If you will need to be able to remotely validate access tokens with your own APIs you should reach out to your Okta Account Executive to have API AM enabled.

alex16 · April 20, 2022, 4:57am

@erik That was an example to the ISSUER that I gave.My actual issuer is different and I am able to see all the APIs listed in json format when I go to the below URL.

https://{{OKTA_HOST}}.okta.com/oauth2/default/.well-known/openid-configuration

So what else can be the issue and how else can I verify the token?

alex16 · April 21, 2022, 6:36pm

@erik Any other reason why this could be happening?

andrea · April 21, 2022, 6:41pm

Can you double check that the issuer and client ID you’re providing to the verifier are correct? The issuer URL for the custom authorization server you are using can be found at Security → API → Authorization Servers → {{the authorization server you are using}} → Issuer URI and the Client ID is found at Applications → {{the application you are using}} → General → Client ID

Make sure that the Issuer you set here is the same as the one used by your front end app! You can check what issuer the front end app is using by decoding the token (using token.dev or jwt.io) and looking at the iss value.