In a recent Okta email, with the subject "Support Notification - Okta Access Token Is Changing", they say:
In order to avoid confusion, Okta is changing the signing method for the Okta Access Token so it is clear it should not be self-validated.
Maybe I'm misunderstanding what they mean by "self-validated" but it looks like this is happening in the Stormpath logic - OktaJwtAccountResolver.java:32.
I.e. the passed in JWT string is an access_token generated by Okta and in order to parse it it is being validated locally - I'm taking it that this is self-validation? I.e. validating the token in your local logic rather than asking some remote Okta API to do so.
If this is the case then will this logic break on October 7th when Okta change how they sign access_token values such that they can't be self-validated?
While this is internal to the Stormpath API I'm interested a) because I'm hoping it won't suddenly break on October 7th and b) because I have some logic that's essentially piggy-backing on the current behavior and would like to know if it's scheduled to change in the near future.
In a recent Okta email, with the subject "Support Notification - Okta Access Token Is Changing", they say:
Maybe I'm misunderstanding what they mean by "self-validated" but it looks like this is happening in the Stormpath logic - OktaJwtAccountResolver.java:32.
I.e. the passed in JWT string is an access_token generated by Okta and in order to parse it it is being validated locally - I'm taking it that this is self-validation? I.e. validating the token in your local logic rather than asking some remote Okta API to do so.
If this is the case then will this logic break on October 7th when Okta change how they sign access_token values such that they can't be self-validated?
While this is internal to the Stormpath API I'm interested a) because I'm hoping it won't suddenly break on October 7th and b) because I have some logic that's essentially piggy-backing on the current behavior and would like to know if it's scheduled to change in the near future.