Algorithm not supported - OAuth in Gentics Mesh

Question

I'm using the new OAuth support in Gentics Mesh, but getting an exception -

ecms-mesh-server     | 23:57:42.312 [] INFO  [vert.x-eventloop-thread-4] [i.v.e.w.h.i.LoggerHandlerImpl] - 192.168.16.4 - GET /api/v2/auth/me HTTP/1.1 200 587 - 7 ms
ecms-mesh-server     | 23:58:09.374 [] DEBUG [vert.x-eventloop-thread-4] [c.g.m.a.p.MeshJWTAuthProvider] - Could not authenticate token.
ecms-mesh-server     | java.lang.RuntimeException: Algorithm not supported
ecms-mesh-server     |  at io.vertx.ext.jwt.JWT.decode(JWT.java:280)
ecms-mesh-server     |  at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.authenticate(JWTAuthProviderImpl.java:122)
ecms-mesh-server     |  at com.gentics.mesh.auth.provider.MeshJWTAuthProvider.authenticateJWT(MeshJWTAuthProvider.java:90)
ecms-mesh-server     |  at com.gentics.mesh.auth.handler.MeshJWTAuthHandler.handleJWTAuth(MeshJWTAuthHandler.java:152)
ecms-mesh-server     |  at com.gentics.mesh.auth.handler.MeshJWTAuthHandler.handle(MeshJWTAuthHandler.java:89)
ecms-mesh-server     |  at com.gentics.mesh.auth.MeshAuthChain.lambda$secure$0(MeshAuthChain.java:40)
ecms-mesh-server     |  at io.vertx.ext.web.impl.RouteImpl.handleContext(RouteImpl.java:231)

I'm running the server in docker, with a Spring Boot Gateway in front, using the Token Relay Filter.

I can access Mesh through the gateway fine, if I'm anonymous or authenticated by Mesh.
But if I authenticate with Okta, and the gateway passes my token to Mesh, I get the exception...

I've added a file /config/public-keys.json with the contents of my Okta public keys.

Update:
I can confirm in the logs that my public keys are being picked up, because the debug output matches my /config/public-keys.json contents.

ecms-mesh-server     | 00:19:55.101 [] DEBUG [vert.x-eventloop-thread-0] [c.g.m.a.MeshOAuth2ServiceImpl] - {
ecms-mesh-server     |   "kty" : "RSA",
ecms-mesh-server     |   "alg" : "RS256",
ecms-mesh-server     |   "kid" : "u13712iLhUmkpeREecKaQhPvZvuImdNVWGJwAmgU-SM",
ecms-mesh-server     |   "use" : "sig",
ecms-mesh-server     |   "e" : "AQAB",
ecms-mesh-server     |   "n" : "vw5G7FUjegmT_BybIfgDWr..."
ecms-mesh-server     | }
ecms-mesh-server     | 00:19:55.101 [] DEBUG [vert.x-eventloop-thread-0] [c.g.m.a.MeshOAuth2ServiceImpl] - {
ecms-mesh-server     |   "kty" : "RSA",
ecms-mesh-server     |   "alg" : "RS256",
ecms-mesh-server     |   "kid" : "DzmghgcUAcXhxL-LeF3qJqefqeQpHR4BSHUoSY7m3FU",
ecms-mesh-server     |   "use" : "sig",
ecms-mesh-server     |   "e" : "AQAB",
ecms-mesh-server     |   "n" : "4yosHHYoEW6wqqOso5qfDONqLw2MK..."
ecms-mesh-server     | }
ecms-mesh-server     | 00:19:55.102 [] DEBUG [vert.x-eventloop-thread-0] [c.g.m.a.AuthHandlerContainer] - Keys changed. Creating a new auth handler to be used.

Answer 1

I noticed the token's "kid" parameter in the header, did not have a matching "kid" in the public key list. I was using the wrong authorization servers JWKs... wow. Heh.

I had this - https://dev-xxxxxx.okta.com/oauth2/v1/keys

When it should have been this - https://dev-xxxxxx.okta.com/oauth2/default/v1/keys

Hope this helps someone else.