You verify the Access or ID token's signature by matching the key that was used to sign in with one of the keys that you retrieved from your Okta Authorization Server's JWK endpoint. Specifically, each public key is identified by a
kid attribute, which corresponds with the
kid claim in the Access or ID token header.
kid claim doesn't match, it's possible that the signing keys have changed. Check the
jwks_uri value in the Authorization Server metadata and try retrieving the keys again from Okta.
jwks_uriresponse locally. The standard HTTP caching headers are used and should be respected.
rotationModeproperty. For more information see the API Reference: Authorization Server Credentials Signing Object.
Keys used to sign tokens automatically rotate and should always be resolved dynamically against the published JWKS. Your app might fail if you hardcode public keys in your applications. Be sure to include key rollover in your implementation.
If your application can't retrieve keys dynamically, the administrator can disable the automatic key rotation in the administrator UI, generate a key credential, and update the application to use it for signing.