Closed rravi-sift closed 2 years ago
serhiibuniak-okta
commented
2 years ago @rravi-sift Thanks for posting well-detailed issue. I guess, you want to know if we are planning to add an additional feature - verify tokens via introspect enpdoint? Let me investigate and I'll respond here with more details.
serhiibuniak-okta
commented
2 years ago @rravi-sift By design our jwt-verifier libraries (not only for python) should use jwk, and not designed to call introspect endpoint. On the other hand, making an http call to that endpoint with Python is fairly trivial task, which can be made without any extra dependency.
rravi-sift
commented
2 years ago @serhiibuniak-okta that makes sense. However, I had followed https://github.com/okta/samples-python-flask to setup my application initially with flask-oidc and flask-oidc works with both scenarios. So, it might be worth calling out that the approach in sample app works only in okta developer account setup. Thanks for looking into this issue, I will close this and work on using the introspect api.
serhiibuniak-okta
commented
2 years ago @rravi-sift Thanks for providing a lot of details. Btw, flask-oidc library is not well-maintained and we've seen few cases when it fails, but you can use its approach.
Issue
I am trying to use the okta-jwt-verifier as mentioned in https://github.com/okta/samples-python-flask. I am using a org okta auth server and I am getting
No matching JWK. On investigation, it looks like I am running to the issue mentioned in https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_USThe article says one must use the https://example.okta.com/oauth2/v1/introspect API for validation. Is there a plan to support this use case?
The relevant section from the support article