getKey access from OktaAuth

[boubou158]

Describe the feature request?

Due to how the server infrastructure is done, it is not possible to use jwt-java-verifier library to validate the ID token/ access token on backend side since it is doing a call to okta to fetch the current public key to validate the tokens. I can't target any external API from backend side without months of setup to be done.

I am currently looking for a way to, maybe, fetch the key from front end since it seems to be a public key and send it to the backend to be able to validate the tokens. Would there be any security issue?

If no security issues, how could I simply retrieve the key from the frontend to send to the backend? I explored the different methods accessible through OktaAuth service but the method getKey is not directly accessible from it.

Thanks and best regards

New or Affected Resource(s)

NA

Provide a documentation link

No response

Additional Information?

No response

[shuowu-okta]

@boubou158 You can access the jwk set for your oidc client via Okta well know endpoint, check the jwks_uri field in the response.

[boubou158]

@shuowu-okta thanks for your reply. Okta well know endpoint will only return me the url isn't it? Is there any method which is doing directly the call in okta angular? I can see the method getKey in okta auth js but it does not seem to be exposed through okta angular. Also, do you know if it would be a bad security practice to fetch the public key from front end, pass it to the backend and validate the tokens from there using this public key?

[jaredperreault-okta]

token validation should not be performed on the frontend (client side) nor should requests public keys. These operations are intended to be server-to-server