Validate Access Token using jwt library Java always throw Exception

We tried to use the jwt-verifier library to validate the access token instead of calling /introspect for better performance. But when we follow the steps in it always throw an error for ‘a signing key must be specified if the specified jwt is digitally signed’, but we don’t know why and there’s no place to set a key.
Also we’re using the default authorization server with automatic key rotation. don’t know if that need to change. Thanks!

Have you set the issuer and audience properly? If the issuer is not correct, it won’t be able to retrieve the public keys to verify the signature.

Can you provide a code snippet?

1 Like

Thank you for the response. Yes I found out that I was using the default authorization server, I used {domain}/oauth2/v1/… for the authorization url and token url, which should be {domain}/oauth2/default/v1/… After doing this I’m able to get the claims now.
I have one more question, for the token validation, after I get the claims using the library, does that mean the signature verification already passed? What else should I verify during the token validation process other than the claims?

Hey @hma!

Once the validation method returns a Jwt, it is fully validated. Any/all validation problems will throw an exception.

1 Like

Thanks! @bdemers
that really helps, I’m able to get the returned Jwt now and should be good.

1 Like

You may want to additionally validate the scopes though, (or some additional custom claim).