This article explains the error below that occurs during a token request. It focuses on scenarios where users host their own public key and encounter issues while calling the token endpoint.

Failed to retrieve JWKSet from jwks_uri

• Public/Private Key Pair
• OAuth Integrations
• Key Management

If a 401 Unauthorized error is received with the message Failed to retrieve JWKSet from jwks_uri while calling the token endpoint, it likely means that Okta is unable to reach the public keys endpoint. Without access to these keys, Okta cannot process the request, resulting in the error.

Check the following to resolve the issue:

• Ensure public accessibility

Verify that the keys are hosted on a publicly accessible URL. If they are behind a firewall, on a private network, or otherwise restricted, Okta will be unable to fetch them.

• Validate the certificate chain 

If the keys are accessible, check for a broken or incomplete SSL certificate chain. A missing or misconfigured intermediate certificate can prevent Okta from establishing a secure connection. Tools like Digicert can verify the certificate chain.

Related References 

• Implement OAuth for Okta with a service app
• Generate JWK Key Pairs