Open ericbn opened 1 year ago
Any updates regarding to this issue?
We're also running on the same issue, any news?
Are you intending to issue accessTokens from your org server and not the authorization server? Need to understand the use case a bit to fully grasp what you're wanting to accomplish but I ran into this same issue and found this post. In my case, I was sending accessTokens to a lambda authorizer function that was calling back to Okta and experiencing this error. For me the solution was to simply ensure that my client side access tokens were instead being issued by the okta authorization server instead of the org server and then everything worked out fine
Hi @nsilver7.
Are you intending to issue accessTokens from your org server and not the authorization server?
The tokens are issues by our Okta org authorization server, correct. Using an Okta custom authorization server instead is not an option in our case.
This seems like a duplicate of #16, but I'm creating a new issue as I would like to initiate a new discussion.
I'm also using https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token?language=en_US as a base for my assumptions, as that describes exactly my scenario.
Yes, I can confirm that is what I get as
iss
value.That is exactly why I get the
No matching JWK
error when trying to validate the access token with anAccessTokenVerifier
. Theverify_access_token
method tries to match the kid using theget_jwk
method here:https://github.com/okta/okta-jwt-verifier-python/blob/474fa9d04ea2cea527ccea87a9830080cb868715/okta_jwt_verifier/jwt_verifier.py#L96
and
get_jwk
fails because no matching key was found:https://github.com/okta/okta-jwt-verifier-python/blob/474fa9d04ea2cea527ccea87a9830080cb868715/okta_jwt_verifier/jwt_verifier.py#L202-L203
According to the mentioned article above:
In #16 you already mentioned you won't support the introspection endpoint as that can be done as a direct http call without extra dependencies. Is the instrospection endpoint the only way to validate tokens from an Okta Org Authorization Server, or can the
okta-jwt-verifier
Python package somehow be used to validate such tokens too?