No matching JWK when using the Org Authorization Server

[ericbn]

This seems like a duplicate of #16, but I'm creating a new issue as I would like to initiate a new discussion.

I'm also using https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US as a base for my assumptions, as that describes exactly my scenario.

You can confirm that you are using the Org Authorization Server if the issuer of the token (stored in the iss claim) is your Okta domain URL, e.g. https://example.okta.com/

Yes, I can confirm that is what I get as iss value.

Cause

Signature validation fails, because the kid (key identifier) in access token's header does not have a matching kid from the key's endpoint (e.g. https://example.okta.com/oauth2/v1/keys).

That is exactly why I get the No matching JWK error when trying to validate the access token with an AccessTokenVerifier. The verify_access_token method tries to match the kid using the get_jwk method here:

okta-jwt-verifier-python/okta_jwt_verifier/jwt_verifier.py

Line 96 in 474fa9d

okta_jwk = await self.get_jwk(headers['kid'])

and get_jwk fails because no matching key was found:

okta-jwt-verifier-python/okta_jwt_verifier/jwt_verifier.py

Lines 202 to 203 in 474fa9d

	if not okta_jwk:
	raise JWKException('No matching JWK.')

According to the mentioned article above:

This is expected. By design, Okta does not provide keys for access tokens minted by an Okta org.

In #16 you already mentioned you won't support the introspection endpoint as that can be done as a direct http call without extra dependencies. Is the instrospection endpoint the only way to validate tokens from an Okta Org Authorization Server, or can the okta-jwt-verifier Python package somehow be used to validate such tokens too?

[mostopalove]

Any updates regarding to this issue?

[naquiroz]

We're also running on the same issue, any news?

[nsilver7]

Are you intending to issue accessTokens from your org server and not the authorization server? Need to understand the use case a bit to fully grasp what you're wanting to accomplish but I ran into this same issue and found this post. In my case, I was sending accessTokens to a lambda authorizer function that was calling back to Okta and experiencing this error. For me the solution was to simply ensure that my client side access tokens were instead being issued by the okta authorization server instead of the org server and then everything worked out fine

[ericbn]

Hi @nsilver7.

Are you intending to issue accessTokens from your org server and not the authorization server?

The tokens are issues by our Okta org authorization server, correct. Using an Okta custom authorization server instead is not an option in our case.

[BinoyOza-okta]

Hi @ericbn, please check if this issue persists with the latest release, version 0.3.0.

We will keep this issue open for another week to wait for your feedback. If we don't hear back, we'll assume the issue is resolved and close it. However, you are welcome to reopen it if the problem persists.

[ericbn]

Hi @BinoyOza-okta. How should I use version 0.3.0 of this package for the validation to work when using an Org Authorization Server?

EDIT: Currently I'm using pyjwt to do the offline validation, as described here, but this does not cover verifying the signature of the token.