Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No matching JWK when using the Org Authorization Server #51

Open
ericbn opened this issue May 22, 2023 · 4 comments
Open

No matching JWK when using the Org Authorization Server #51

ericbn opened this issue May 22, 2023 · 4 comments

Comments

@ericbn
Copy link

ericbn commented May 22, 2023

This seems like a duplicate of #16, but I'm creating a new issue as I would like to initiate a new discussion.

I'm also using https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US as a base for my assumptions, as that describes exactly my scenario.

You can confirm that you are using the Org Authorization Server if the issuer of the token (stored in the iss claim) is your Okta domain URL, e.g. https://example.okta.com/

Yes, I can confirm that is what I get as iss value.

Cause

Signature validation fails, because the kid (key identifier) in access token's header does not have a matching kid from the key's endpoint (e.g. https://example.okta.com/oauth2/v1/keys).

That is exactly why I get the No matching JWK error when trying to validate the access token with an AccessTokenVerifier. The verify_access_token method tries to match the kid using the get_jwk method here:

okta-jwt-verifier-python/okta_jwt_verifier/jwt_verifier.py

Line 96 in 474fa9d

okta_jwk = await self.get_jwk(headers['kid'])

and get_jwk fails because no matching key was found:

okta-jwt-verifier-python/okta_jwt_verifier/jwt_verifier.py

Lines 202 to 203 in 474fa9d

if not okta_jwk:
raise JWKException('No matching JWK.')

According to the mentioned article above:

This is expected. By design, Okta does not provide keys for access tokens minted by an Okta org.

In #16 you already mentioned you won't support the introspection endpoint as that can be done as a direct http call without extra dependencies. Is the instrospection endpoint the only way to validate tokens from an Okta Org Authorization Server, or can the okta-jwt-verifier Python package somehow be used to validate such tokens too?
@mostopalove
Copy link

Any updates regarding to this issue?

@naquiroz
Copy link

naquiroz commented Dec 5, 2023

We're also running on the same issue, any news?

@nsilver7
Copy link

nsilver7 commented Mar 8, 2024

Are you intending to issue accessTokens from your org server and not the authorization server? Need to understand the use case a bit to fully grasp what you're wanting to accomplish but I ran into this same issue and found this post. In my case, I was sending accessTokens to a lambda authorizer function that was calling back to Okta and experiencing this error. For me the solution was to simply ensure that my client side access tokens were instead being issued by the okta authorization server instead of the org server and then everything worked out fine

@ericbn
Copy link
Author

ericbn commented Mar 8, 2024

Hi @nsilver7.

Are you intending to issue accessTokens from your org server and not the authorization server?

The tokens are issues by our Okta org authorization server, correct. Using an Okta custom authorization server instead is not an option in our case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nsilver7 @ericbn @naquiroz @mostopalove