When using a JWT (JSON Web Token) client assertion for authentication, Okta may return the following error.

invalid_client

This error returned is as follows:

{
  "error": "invalid_client",
  "error_description": "The client_assertion JWT kid is invalid."
}

• OpenID Connect
• OAuth 2.0
• AI Agents
• Okta Identity Engine (OIE)

The kid (key ID) specified in the client assertion JWT header does not match any keys registered for the client or AI agent in Okta.

This error occurs when:

• The kid is missing from the JWT header.
• The kid does not match the key ID of the registered public key.
• The client or AI agent has not been properly configured with a public key.

1. Verify kid in JWT header: Ensure the kid is present in the JWT header by decoding it with jwt.io.
2. Check registered keys: In the Okta Admin Console, navigate to the client or AI agent configuration and verify the public key.
   
   Locate AI Agent keys by navigating to AI Agents > select the specific agent, and viewing Credentials. 

Find OIDC client application public keys by navigating to Applications > Applications > select the OIDC application, and scrolling down to Public Keys.

Related References

• OAuth 2.0 Token Exchange (RFC 8693)
• JWT Bearer Grant (RFC 7523)
• Creating a Private Key JWT when a Client Has Multiple Public/Private Key Pairs