JR.25173 (Customer) asked a question.
Need JWT signing secret how to locate
This is not the first time this question has been asked. Previous responses I found were insufficient. Wanting to validate an Okta JWT AccessToken using the Kong Gateway Open Source JWT plug-in. This requires knowledge of both the signing key and the secret to properly configure. How do we locate the secret signing key used by Okta? Do we maybe need to manage our own keyid/secret in order to make this work with Okta? Let me know.
Hello @JR.25173 (Customer)
Thanks for posting.
1- Create a public/private key pair
To accomplish this please follow the steps provided on this link:
https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/
Note: Use the JSON Web Key Generator link to generate a JWKS public/private key pair for testing purposes only. For a production use case, use your own internal instance (opens new window)of the key pair generator.
2- Okta signs JWTs using asymmetric encryption (RS256), and publishes the public signing keys in a JWKS (JSON Web Key Set) as part of the OAuth 2.0 and OpenID Connect discovery documents. The signing keys are rotated on a regular basis. The first step to verify a signed JWT is to retrieve the current signing keys.
The OpenIdConnectConfigurationRetriever class in the Microsoft.IdentityModel.Protocols.OpenIdConnect package will download and parse the discovery document to get the key set. You can use it in conjunction with the ConfigurationManager class, which will handle caching the response and refreshing it regularly:
https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/
3- In the Signing Key box, paste the public and private key that you generated in the Create a public/private key pair step.
Let us know if this helps you.
Daniela Chavarria.
Okta Inc.
Hi Daniela,
Appreciate your response, but I'm doubtful that will help. First issue is I'm using Java instead of dotnet. The bigger issue is I believe the scenario is different than what you are thinking. We've got a front end Angular application that authenticates w/Okta and (if successful) we then have Okta provide the ID Token and the Access Token. So, we don't get involved much with what Okta is doing when the tokens are generated. We then run the request thru Kong GW and want it to validate the Access Token is "good" before allowing it through the gateway. I suspect that Okta won't provide the "secret" it used to sign the token. My question was whether we could instead provide the "secret" Okta will uses and associate it with a known "keyid" that Okta would publish at it's /keys endpoint. Unless I'm missing something the solution you provided doesn't address that challenge. Thanks and LMK
Daniela,
Dug a bit deeper into your suggestion and learned about the difference between RS256 vs HS256. The most difficult part of getting this to work was obtaining the Okta public-rsa-key (associated with the JWT signature) in PEM format. I eventually succeeded by forking a superseded github project and doing some minor modifications to get it to work with an Okta default AuthZ server. Patched copy of modifications available at: /jridge/okta-jwks-to-pem. Even after that I needed to hand modify the resulting PEM and replace all the "\n" with Windows [Enter] key. Probably easier if I did this using Linux. After that I had a suitable PEM representation of the Okta Public JWT signing key. I entered this value into the Kong consumer certificate and now I have the Kong Open Source JWT plugin verifying the Okta Access Tokens. Thanks for your insight.