okta-jwt-verifier-python icon indicating copy to clipboard operation
okta-jwt-verifier-python copied to clipboard

Published 20 hours ago verified publisher icon okta

No matching JWK when using the Org Authorization Server

Open ericbn opened this issue 1 year ago • 4 comments

This seems like a duplicate of #16, but I'm creating a new issue as I would like to initiate a new discussion.

I'm also using https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US as a base for my assumptions, as that describes exactly my scenario.

You can confirm that you are using the Org Authorization Server if the issuer of the token (stored in the iss claim) is your Okta domain URL, e.g. https://example.okta.com/

Yes, I can confirm that is what I get as iss value.

Cause

Signature validation fails, because the kid (key identifier) in access token's header does not have a matching kid from the key's endpoint (e.g. https://example.okta.com/oauth2/v1/keys).

That is exactly why I get the No matching JWK error when trying to validate the access token with an AccessTokenVerifier. The verify_access_token method tries to match the kid using the get_jwk method here:

https://github.com/okta/okta-jwt-verifier-python/blob/474fa9d04ea2cea527ccea87a9830080cb868715/okta_jwt_verifier/jwt_verifier.py#L96

and get_jwk fails because no matching key was found:

https://github.com/okta/okta-jwt-verifier-python/blob/474fa9d04ea2cea527ccea87a9830080cb868715/okta_jwt_verifier/jwt_verifier.py#L202-L203

According to the mentioned article above:

This is expected. By design, Okta does not provide keys for access tokens minted by an Okta org.

In #16 you already mentioned you won't support the introspection endpoint as that can be done as a direct http call without extra dependencies. Is the instrospection endpoint the only way to validate tokens from an Okta Org Authorization Server, or can the okta-jwt-verifier Python package somehow be used to validate such tokens too?

ericbn avatar May 22 '23 14:05 ericbn

Any updates regarding to this issue?

mostopalove avatar Aug 15 '23 07:08 mostopalove

We're also running on the same issue, any news?

naquiroz avatar Dec 05 '23 12:12 naquiroz

Are you intending to issue accessTokens from your org server and not the authorization server? Need to understand the use case a bit to fully grasp what you're wanting to accomplish but I ran into this same issue and found this post. In my case, I was sending accessTokens to a lambda authorizer function that was calling back to Okta and experiencing this error. For me the solution was to simply ensure that my client side access tokens were instead being issued by the okta authorization server instead of the org server and then everything worked out fine

nsilver7 avatar Mar 08 '24 20:03 nsilver7

Hi @nsilver7.

Are you intending to issue accessTokens from your org server and not the authorization server?

The tokens are issues by our Okta org authorization server, correct. Using an Okta custom authorization server instead is not an option in our case.

ericbn avatar Mar 08 '24 22:03 ericbn