Unexpected duplicate key in /keys endpoint for OpenID Connect and OAuth 2.0

Hi,

Starting late this afternoon we began receiving the following error message when attempting to decode the access token returned from a call to /token

Caused by: java.text.ParseException: Invalid JSON: Unexpected duplicate key:kty at position 88.

Is Okta experiencing an issue with the dev environment?

Thanks,

Troy

It looks like the duplicated key comes from jwks_uri (e.g. https://dev-000000.oktapreview.com/oauth2/v1/keys?client_id=00000000000000000") where attribute “kty” appears twice in the response JSON.

I am using jose4j to validate JWT and this duplicated key causes the validation to fail.

Thanks,
dak

Hi Dak,

Are you also experiencing this issue, or just explaining the source of the problem?

Thanks,

Troy

Hi Everyone,

We are getting the same issue, Can Okta resolve the problem as soon as possible?

Thanks,

Sid

I’m not seeing the same thing on my free developer org:

https://tom-okta-free.oktapreview.com/oauth2/v1/keys?client_id=0oaf54f32e5c3h7a20h7

https://tom-okta-free.oktapreview.com/oauth2/default/v1/keys?client_id=0oaf54f32e5c3h7a20h7

Can you guys open a support ticket with developers@okta.com?

Can you guys share your org URL with me? If you don’t feel like dropping it in this forum, you can DM me directly.

Thanks,
Tom

We are seeing this same issue:

https://autotask.oktapreview.com/oauth2/v1/keys

kty appears twice in the JSON.

{"keys":[{"kty":"RSA","alg":"RS256","kid":"9t9U8NSZsnZr6lZ5jIu06v8feGygG_q2uuMmG6nQozY","kty":"RSA","use":"sig","e":"AQAB","n":"nEziNC02P7Huh7jZIWdpTZVDtCyzCmlqa3Yd5imBpgLjgjVjjwpHGmgYsLuRPQQ9d9MhquE9SCtNMHvmdN_eR7_2AewWUW5_ahKaRnF68dgFePrPxJIFEUcV2lvleUrXz6LT0dARB6f7YVNYtKavwBknOGUWlYdXlUxAHAX2zVswgSZGXsi3UFcnJQctEsnSyE5OZm3UEWCExlisGkOP-VuAHb4eGONNuC9pdoN3VUGEkQppX6JZ4RjBtcbnR8o1RauO2YXjoVkf1bgCgyBoVRZlVyiKJfqOnoKbG0ydKmd_rd99Flz_G4jparTI9dkGU1ooweCErj9BfcWhljlMAQ"},{"kty":"RSA","alg":"RS256","kid":"JOezGdl1NX5Om581mbOPkhPd4-YWzB1QQ665G1BsjJk","kty":"RSA","use":"sig","e":"AQAB","n":"gtXHdPbztP1MvifuDL-3OgVwCYrOTyPNuO4Q4_oZszeeJmnDuhoE6aC7RxOlendHQRUXct_U8NTGUTT0T_7lG0GeM_TwTILaiKo-WhLWuQKGXFcGEnA6o3cYpRTbhPf2Gn6LZZD5pLZccd6AlwhOFmsrBeDQUoSkDtxzsH9L-JImBb3v0p1_wQ7mLc3xgST2RrDizvfUhSYf4VWXd-VieCgiT4QXAinuJIX7IVfd2b_bUiDZ0HHoaUksiwGm7ISttzSL0Hptl3Di5FlCUVvr-VrapBXYu_HAc6GbXd1nyKIIOjhIbHA05YzHjCvauRmKdypae0H5wiEjOyW5xYtuFQ"}]}

That’s the response we are getting while decoding the access token

Hi Tom. Not seeing a way to direct message you.

@fzardezed That is because you have two different keys of the same type, this is allowed based on the spec. That shouldn’t be invalid JSON

I’m a little confused now. My thought on why the error is that the JSON is invalid is that key type kty appears twice in the same JSON key.

Like:

{
    "kty": "RSA",
    "kty": "RSA",
    "alg": "RS256",
    "kid": "9t9U8NSZsnZr6lZ5jIu06v8feGygG_q2uuMmG6nQozY",
    "use": "sig",
    "e": "AQAB",
    "n": "...."
}

Tom,

They “kty” appears twice PER key… Which is what makes it invalid.

Thanks

We just received the following from Okta support:

Our Support team has identified this issue with other customers too and have created an internal JIRA(OKTA-184752) for this and we are going to escalate it to the Engineering team for an immediate fix.

@fzardezed My mistake, the tool I was using was removing the duplicated values. HTTPie as well…

But using cURL is showing the duplicate values. I went ahead and alerted the engineering team. The forum isn’t going to be the best place to track this. Please open a case with developers@okta.com, they are aware of this.

1 Like