search

okta / okta-jwt-verifier-python

okta-jwt-verifier-python
https://github.com/okta/okta-jwt-verifier-python
Apache License 2.0
33 stars 17 forks source link

No matching JWK when using the Org Authorization Server #51

Open ericbn opened 1 year ago

ericbn commented 1 year ago

This seems like a duplicate of #16, but I'm creating a new issue as I would like to initiate a new discussion.

I'm also using https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US as a base for my assumptions, as that describes exactly my scenario.

You can confirm that you are using the Org Authorization Server if the issuer of the token (stored in the iss claim) is your Okta domain URL, e.g. https://example.okta.com/

Yes, I can confirm that is what I get as iss value.

Cause

Signature validation fails, because the kid (key identifier) in access token's header does not have a matching kid from the key's endpoint (e.g. https://example.okta.com/oauth2/v1/keys).

That is exactly why I get the No matching JWK error when trying to validate the access token with an AccessTokenVerifier. The verify_access_token method tries to match the kid using the get_jwk method here:

https://github.com/okta/okta-jwt-verifier-python/blob/474fa9d04ea2cea527ccea87a9830080cb868715/okta_jwt_verifier/jwt_verifier.py#L96

and get_jwk fails because no matching key was found:

https://github.com/okta/okta-jwt-verifier-python/blob/474fa9d04ea2cea527ccea87a9830080cb868715/okta_jwt_verifier/jwt_verifier.py#L202-L203

According to the mentioned article above:

This is expected. By design, Okta does not provide keys for access tokens minted by an Okta org.

In #16 you already mentioned you won't support the introspection endpoint as that can be done as a direct http call without extra dependencies. Is the instrospection endpoint the only way to validate tokens from an Okta Org Authorization Server, or can the okta-jwt-verifier Python package somehow be used to validate such tokens too?

mostopalove commented 1 year ago

Any updates regarding to this issue?

naquiroz commented 10 months ago

We're also running on the same issue, any news?

nsilver7 commented 6 months ago

Are you intending to issue accessTokens from your org server and not the authorization server? Need to understand the use case a bit to fully grasp what you're wanting to accomplish but I ran into this same issue and found this post. In my case, I was sending accessTokens to a lambda authorizer function that was calling back to Okta and experiencing this error. For me the solution was to simply ensure that my client side access tokens were instead being issued by the okta authorization server instead of the org server and then everything worked out fine

ericbn commented 6 months ago

Hi @nsilver7.

Are you intending to issue accessTokens from your org server and not the authorization server?

The tokens are issues by our Okta org authorization server, correct. Using an Okta custom authorization server instead is not an option in our case.