In the documentation for the JWT plugin we see:
When creating the signature, make sure that the header is:
{
"typ": "JWT",
"alg": "RS256"
}
It appears that Okta omits the “typ” key in the headers of its tokens. Is the a problem for Kong? We are trying to track down an issue where Kong rejects Okta tokens with the message “Invalid signature” … could this be the reason?
Hi,
The JWT plugin will return "invalid typ" as an error if the header is invalid. I believe it returns no error if it is missing.
If the token does not include this header, make sure that it is so while creating the signature as well. Otherwise, this error could be caused by a mis-configuration of the plugin (we would need more details to help you through it, but please be careful not to post application secrets and private keys online).