No matching JWK when using the Org Authorization ServerΒ #51
Description
This seems like a duplicate of #16, but I'm creating a new issue as I would like to initiate a new discussion.
I'm also using https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US as a base for my assumptions, as that describes exactly my scenario.
You can confirm that you are using the Org Authorization Server if the issuer of the token (stored in the
issclaim) is your Okta domain URL, e.g.https://example.okta.com/
Yes, I can confirm that is what I get as iss value.
Cause
Signature validation fails, because the kid (key identifier) in access token's header does not have a matching kid from the key's endpoint (e.g.
https://example.okta.com/oauth2/v1/keys).
That is exactly why I get the No matching JWK error when trying to validate the access token with an AccessTokenVerifier. The verify_access_token method tries to match the kid using the get_jwk method here:
and get_jwk fails because no matching key was found:
okta-jwt-verifier-python/okta_jwt_verifier/jwt_verifier.py
Lines 202 to 203 in 474fa9d
According to the mentioned article above:
This is expected. By design, Okta does not provide keys for access tokens minted by an Okta org.
In #16 you already mentioned you won't support the introspection endpoint as that can be done as a direct http call without extra dependencies. Is the instrospection endpoint the only way to validate tokens from an Okta Org Authorization Server, or can the okta-jwt-verifier Python package somehow be used to validate such tokens too?