500: Key with 'kid' of XYZ could not be found via the '/oauth2/v1/keys' endpoint #1346
Comments
|
Note that this used to work in the past, and has stopped working.
|
|
@mraible can you assist with this? |
|
@mdeggies @amiryesh I just tried updating my okta-spring-boot-angular-pwa-example to RC3 and I'm able to start and authenticate with it. [mraible:~/dev … -angular-pwa-example/server] master(+1/-1) ± git diff pom.xml
diff --git a/server/pom.xml b/server/pom.xml
index 12c808d..b6ae7c9 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -22,7 +22,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
- <stormpath.version>2.0.0-okta-rc2</stormpath.version>
+ <stormpath.version>2.0.0-okta-rc3</stormpath.version>
</properties>The steps to setup an Okta dev account should match the README, but they're also in my blog post: https://developer.okta.com/blog/2017/06/13/add-authentication-angular-pwa |
|
Thanks @mraible, I was also unable to repro (so assumed I was doing something wrong). We have a screenshare scheduled today to discuss further. |
|
@mraible ok, so I was just now able to reproduce. I'll post the clear repro steps in the original issue. |
|
I have the same problem. When I set everything ready and run the spring-boot-default app, after I log in, it shows a 500 error with the information: Key with 'kid' of 9095wbtMW021cUk8X4dUIzrNal0dSupo4 could not be found via the '/oauth2/v1/keys' endpoint. So why this will happen? Do I need to make any change in the Okta application? Thanks |
|
Hi @weidongdiao, @amiryesh: Thanks for your patience as we've escalated this. We've discovered the issue and have a fix that will work across all environments. First, a quick overview of the solution: In each Okta tenant, you must create and configure a Authorization Server (AS) and ensure that the Okta Application is configured to use the AS in the "Access Policies" section. Then, the Stormpath SDK should be configured with the Authorization Server ID by setting the following env variable: Here's some more background: Some time ago, Okta decided to sign org-level access tokens with a backend secret key not available to end users. This move was made to increase security when dealing with org-level tokens. The proper way to validate these tokens is by using the /introspect endpoint. Some orgs have not yet been updated with this change. One of the purposes of the Authorization Server is to have access to public keys to validate JWTs "locally" (locally, in this context being at the application server, like spring boot). You can see this in action locally, using these httpie (httpie.org) commands (just make sure to plug in the appropriate values from your org):
(Note the kid in the response.) If you plug the access token you get back into Here's some more detailed information on configuring the AS:
Let me know if you have any questions and please confirm that once the AS is configured and the environment settings are updated in the spring boot app, everything is working. |
mdeggies
changed the title
|
Is this the correct notation for Spring Boot application.properties and AWS Environment variables? okta.authorizationserver.id |
|
I got it working with a capital "S" |
|
We need to update the doc with the instructions on how to create an Authorization Server (if you did NOT run the export/import) (the migration process does this for you) |
|
I'm running import export...You're still missing one crucial step.
On 9/08/2017 3:05 AM, Brian Demers <[email protected]> wrote:
We need to update the doc with the instructions on how to create an Authorization Server (if you did NOT run the export/import) (the migration process does this for you)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#1346 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AHBrVXif-wzhTfp1lfiU6VtKy_9s2LdWks5sWHk-gaJpZM4OWRxh>.
|
|
@trautvetter, an authorization server is created in Okta for each application you have in Stormpath. If you use the export/import tools, you shouldn't be running into this issue. If you are, please let us know! |
|
It worked the very first time I ran the import tool. Several days went by and that Okta app stopped working suddenly. Any subsequent attempt to clear the account of all tokens, auth servers, groups, users etc; and re-run the import tool, failed to get it working again. After that I created a new Okta account and with a clean slate - ran the import tool again. It did not work. That is what led me to this issue, and learning about the requirement for this property: okta.authorizationServer.id. @amiryesh wasn't kidding when 27 days ago he said "This used to work ...". You really should update your documentation. I've wasted so much time on this that my boss has already told me just to get the hell off Okta onto something that works! It's a pity - Stormpath used to be awesome. |
git clone https://github.com/stormpath/stormpath-sdk-java.git && git checkout oktacd examples/spring-boot-defaultand update the pom.xml file. Find and replace all occurrences of2.0.1-okta-SNAPSHOTto2.0.0-okta./stormpath-sdk-java&& mvn clean installcd examples/spring-boot-defaultmvn spring-boot:runThe text was updated successfully, but these errors were encountered: