We tried to use the jwt-verifier library to validate the access token instead of calling /introspect for better performance. But when we follow the steps in https://github.com/okta/okta-jwt-verifier-java it always throw an error for ‘a signing key must be specified if the specified jwt is digitally signed’, but we don’t know why and there’s no place to set a key.
Also we’re using the default authorization server with automatic key rotation. don’t know if that need to change. Thanks!
Have you set the issuer and audience properly? If the issuer is not correct, it won’t be able to retrieve the public keys to verify the signature.
Can you provide a code snippet?
1 Like
Thank you for the response. Yes I found out that I was using the default authorization server, I used {domain}/oauth2/v1/… for the authorization url and token url, which should be {domain}/oauth2/default/v1/… After doing this I’m able to get the claims now.
I have one more question, for the token validation, after I get the claims using the library, does that mean the signature verification already passed? What else should I verify during the token validation process other than the claims?
Hey @hma!
Once the validation method returns a Jwt, it is fully validated. Any/all validation problems will throw an exception.
1 Like
Thanks! @bdemers
that really helps, I’m able to get the returned Jwt now and should be good.
1 Like
@hma,
You may want to additionally validate the scopes though, (or some additional custom claim).
Should the issuer match the issuer value in the token? When I use the same issuer as the value in the token, the error is: failed to parse token.
Hi @ikaz
What is the issuer that you have in the JWT?
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.