I have a grant/PKCE workflow for our SPA app to request an Access Token in Okta and have it sent to a resource server.
The SPA -> Okta part is settled, and sending the token to my Java resource server is simple. However, verifying the token is a little tricky for me.
If I simply use the great sdk provided by okta, okta-jwt-verifier, the process is fairly simple:
AccessTokenVerifier jwtVerifier = JwtVerifiers.accessTokenVerifierBuilder()
.setIssuer("https://" + issuer + "/oauth2/default")
.build();
The AccessTokenVerifier uses the issuer to gather the public keys transparently and validate a token.
However, our system has to support JWT from multiple sources and, as such we already have a dependency on the auth0 java-jwt v3.18 library. I was investigating ways to have auth0 get the public key and verify an access token but can't find a process for that.
What is the best way to create an instance of com.auth0.jwt.JWTVerifier to verify an Okta token?
Because of the logistics of what we are trying to support I need to avoid any starter libraries.
To verify an Okta Access Token using the auth0 Java JWT library without using starter libraries, you can manually fetch Okta's public key and then create a custom JWTVerifier instance. Here's a general outline of the steps:
Retrieve Okta's public keys: You can retrieve Okta's public keys using the JWKS (JSON Web Key Set) URL provided by Okta. This URL typically looks like: https://your-okta-issuer/.well-known/jwks.json. Parse the JWKS and extract the public key(s): Use a JSON parser to parse the JWKS response and extract the public key(s) associated with Okta. Each key in the JWKS represents a different public key that might have been used to sign Okta's JWTs. Create a custom JWTVerifier: Use the extracted public key(s) to create a custom JWTVerifier instance from the auth0 library.