I have a grant/PKCE workflow for our SPA app to request an Access Token in Okta and have it sent to a resource server.
The SPA -> Okta part is settled, and sending the token to my Java resource server is simple. However, verifying the token is a little tricky for me.
If I simply use the great sdk provided by okta, okta-jwt-verifier, the process is fairly simple:
AccessTokenVerifier jwtVerifier = JwtVerifiers.accessTokenVerifierBuilder()
.setIssuer("https://" + issuer + "/oauth2/default")
.build();
The AccessTokenVerifier uses the issuer to gather the public keys transparently and validate a token.
However, our system has to support JWT from multiple sources and, as such we already have a dependency on the auth0 java-jwt v3.18 library. I was investigating ways to have auth0 get the public key and verify an access token but can't find a process for that.
What is the best way to create an instance of com.auth0.jwt.JWTVerifier to verify an Okta token?
Because of the logistics of what we are trying to support I need to avoid any starter libraries.
It can help to first understand the process with a non-vendor library, such as jose4j, which will work for any standards-based provider:
The best practice is for your resource server to specify the expected algorithm, issuer and audience like this, while also providing a URL to a JWKS or issuer endpoint.
var httpsJkws = new HttpsJwks(jwksEndpoint);
var jwksKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJkws);
var claims = new JwtConsumerBuilder()
.setVerificationKeyResolver(jwksKeyResolver)
.setJwsAlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, AlgorithmIdentifiers.RSA_USING_SHA256)
.setExpectedIssuer("myissuer");
.setExpectedAudience("myaudience")
.processToClaims(accessToken);
I suspect that both Okta and Auth0 libraries are compatible with each other's authorization server, since normal JWT validation is only usually done as above. Just look for the above inputs and use them. You should then quickly get a working solution.