Here are the steps that I used in Auth0:

 Create API – I gave it a name but the key is the Identifier which is used as the audience name when requesting the token. 

1. Had to create a custom scope for the Cloud API
2. Create the Application
3. Request a token via postman for ease here is a CURL command

curl --request POST \

  --url https://xxxxx/oauth/token \

  --header 'content-type: application/json' \

  --data '{"client_id":"xxxx","client_secret":"xxxGmOBDDo","audience":"https://xxxx.com/cloud","grant_type":"client_credentials"}'

5. The response would be:

6. The token is submitted as part of the header token like the below example:

7. Spring is validating the token via the by having the following two details:

security.oauth2.resource.jwk.keySetUri=https://xxxx/.well-known/jwks.json

security.oauth2.resource.id=https://xxxx/cloud

I think the security.oauth2.resource.id might be one of the keys to our issues, as this value is established by the API in step 1, this would equate to you having set up the API defination, but I'm not sure what the value is set here or there is a custom value i can set.  We tried using: http://appliesto/oauthjwt when we tried to get this to work with ISAM. 

The error that we get with ISAM is:

{

    "error": "invalid_token",

    "error_description": "Invalid JWT/JWS: kid is a required JOSE Header"

}

The configuration values that we had in place for ISAM are as follows:

security.oauth2.resource.jwk.keySetUri=https://xxxxx/mga/sps/oauth/oauth20/jwks/APIname

security.oauth2.resource.id=http://appliesto/oauthjwt

Looking at the note

https://stackoverflow.com/questions/55659509/invalid-jwtoken-kid-is-a-required-jose-header

I noticed their keys had dashes and the ones that I'm using do not…so I change it to be:

security.oauth2.resource.jwk.keyUri=https://xxxx/mga/sps/oauth/oauth20/jwks/APIname

security.oauth2.resource.id=http://appliesto/oauthjwt

I got a different error message from Java once I hit the server:

java.lang.IllegalArgumentException: URI is not absolute

       at java.net.URI.toURL(URI.java:1088) ~[na:1.8.0_91]

       at org.springframework.http.client.SimpleClientHttpRequestFactory.createRequest(SimpleClientHttpRequestFactory.java:145) ~[spring-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]

I tried to pull up the URL https://xxxx/mga/sps/oauth/oauth20/jwks/APIname and notice it requires login, which means spring would not be able to use it to get the certs details. 

So in summary:

• I need the correct resource.id entry as I don't think http://appliesto/oauthjwt this seems correct
• Need to be able to get to the public key without authorization

Here are the steps that I used in Auth0:

 Create API – I gave it a name but the key is the Identifier which is used as the audience name when requesting the token. 

1. Had to create a custom scope for the Cloud API
2. Create the Application
3. Request a token via postman for ease here is a CURL command

curl --request POST \

  --url https://xxxxx/oauth/token \

  --header 'content-type: application/json' \

  --data '{"client_id":"xxxx","client_secret":"xxxGmOBDDo","audience":"https://xxxx.com/cloud","grant_type":"client_credentials"}'

5. The response would be:

6. The token is submitted as part of the header token like the below example:

7. Spring is validating the token via the by having the following two details:

security.oauth2.resource.jwk.keySetUri=https://xxxx/.well-known/jwks.json

security.oauth2.resource.id=https://xxxx/cloud

I think the security.oauth2.resource.id might be one of the keys to our issues, as this value is established by the API in step 1, this would equate to you having set up the API defination, but I'm not sure what the value is set here or there is a custom value i can set.  We tried using: http://appliesto/oauthjwt when we tried to get this to work with ISAM. 

The error that we get with ISAM is:

{

    "error": "invalid_token",

    "error_description": "Invalid JWT/JWS: kid is a required JOSE Header"

}

The configuration values that we had in place for ISAM are as follows:

security.oauth2.resource.jwk.keySetUri=https://xxxxx/mga/sps/oauth/oauth20/jwks/APIname

security.oauth2.resource.id=http://appliesto/oauthjwt

Looking at the note

https://stackoverflow.com/questions/55659509/invalid-jwtoken-kid-is-a-required-jose-header

I noticed their keys had dashes and the ones that I'm using do not…so I change it to be:

security.oauth2.resource.jwk.keyUri=https://xxxx/mga/sps/oauth/oauth20/jwks/APIname

security.oauth2.resource.id=http://appliesto/oauthjwt

I got a different error message from Java once I hit the server:

java.lang.IllegalArgumentException: URI is not absolute

       at java.net.URI.toURL(URI.java:1088) ~[na:1.8.0_91]

       at org.springframework.http.client.SimpleClientHttpRequestFactory.createRequest(SimpleClientHttpRequestFactory.java:145) ~[spring-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]

I tried to pull up the URL https://xxxx/mga/sps/oauth/oauth20/jwks/APIname and notice it requires login, which means spring would not be able to use it to get the certs details. 

So in summary:

• I need the correct resource.id entry as I don't think http://appliesto/oauthjwt this seems correct
• Need to be able to get to the public key without authorization