[Bug]: Okta OIDC integration would return jwks 404

[Colstuwjx]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (Language Policy).
• Non-english title submitions will be closed directly ( 非英文标题的提交将会被直接关闭 ) (Language Policy).
• Please do not modify this template :) and fill in all the required fields.

RAGFlow workspace code commit ID

09f8dfe

RAGFlow image version

/

Other environment information

macOS M1 Prod, started the web service from source

Actual behavior

Try to login with okta and error returned:

Traceback (most recent call last):
  File "/Users/user/Projects/ragflow/api/apps/auth/oidc.py", line 73, in parse_id_token
    signing_key = jwks_cli.get_signing_key_from_jwt(id_token).key
  File "/opt/homebrew/anaconda3/envs/ragflow-local/lib/python3.10/site-packages/jwt/jwks_client.py", line 113, in get_signing_key_from_jwt
    return self.get_signing_key(header.get("kid"))
  File "/opt/homebrew/anaconda3/envs/ragflow-local/lib/python3.10/site-packages/jwt/jwks_client.py", line 95, in get_signing_key
    signing_keys = self.get_signing_keys()
  File "/opt/homebrew/anaconda3/envs/ragflow-local/lib/python3.10/site-packages/jwt/jwks_client.py", line 82, in get_signing_keys
    jwk_set = self.get_jwk_set(refresh)
  File "/opt/homebrew/anaconda3/envs/ragflow-local/lib/python3.10/site-packages/jwt/jwks_client.py", line 74, in get_jwk_set
    data = self.fetch_data()
  File "/opt/homebrew/anaconda3/envs/ragflow-local/lib/python3.10/site-packages/jwt/jwks_client.py", line 59, in fetch_data
    raise PyJWKClientConnectionError(
jwt.exceptions.PyJWKClientConnectionError: Fail to fetch data from the url, err: "HTTP Error 404: Not Found"
2025-06-04 14:03:08,468 ERROR    58577 Error parsing ID Token: Fail to fetch data from the url, err: "HTTP Error 404: Not Found"

Expected behavior

Could be able to login with okta channel

Steps to reproduce

1. start the service on local from source;
2. set configs in yaml:


...
oauth:
  oidc:
    display_name: "Okta OIDC"
    client_id: "xxx"
    client_secret: "xxx"
    issuer: "https://YOU_OKTA_DOMAIN.okta.com/oauth2/default"
    authorization_url: "https://YOU_OKTA_DOMAIN.okta.com/oauth2/default/v1/authorize"
    token_url: "https://YOU_OKTA_DOMAIN.okta.com/oauth2/default/v1/token"
    userinfo_url: "https://YOU_OKTA_DOMAIN.okta.com/oauth2/default/v1/userinfo"
    scope: "openid email profile"
    redirect_uri: "http://localhost/v1/user/oauth/callback/oidc"

Additional information

No response

[dosubot]

Based on the traceback and the RAGFlow code, the JWKS 404 error occurs because the backend tries to fetch the JSON Web Key Set (JWKS) from your Okta issuer at the endpoint https://YOUR_OKTA_DOMAIN.okta.com/oauth2/default/.well-known/jwks.json (or as specified by the issuer's metadata), but receives a 404 Not Found response. This JWKS endpoint is critical for verifying ID token signatures during OIDC login attempts see code reference.

Here are the most likely causes and steps to resolve:

1. Issuer URL or Okta App Misconfiguration: Double-check that your issuer value is correct and matches the Okta authorization server you are using. For Okta, the issuer should look like https://YOUR_OKTA_DOMAIN.okta.com/oauth2/default for the default authorization server. If you use a custom authorization server, the path will differ.

2. JWKS Endpoint Availability: The JWKS URI is discovered automatically from the issuer's OIDC metadata at /.well-known/openid-configuration. You can manually check this by visiting https://YOUR_OKTA_DOMAIN.okta.com/oauth2/default/.well-known/openid-configuration in your browser and looking for the jwks_uri field. Then, try accessing the jwks_uri directly. If you get a 404, the problem is with the Okta configuration or the issuer URL.

3. Network or DNS Issues: Make sure your local environment can resolve and reach your Okta domain. Try curl or wget to the JWKS URL from your terminal.

4. RAGFlow OIDC Logic: The RAGFlow backend uses the issuer URL to discover endpoints and fetch JWKS. If the issuer is set incorrectly or the Okta app is not configured to expose the JWKS endpoint, you will get this error see code reference.

5. Okta Authorization Server State: If you recently created or modified the Okta authorization server, it may take a few moments for endpoints to become available. Also, ensure the authorization server is active and not deleted or disabled.

If all configuration appears correct but the JWKS endpoint still returns 404, try creating a new authorization server in Okta and updating your issuer URL accordingly.

There are no existing issues in the RAGFlow repository that directly address this specific JWKS 404 error with Okta OIDC integration.

If you need to debug further, please share the actual values (with sensitive info redacted) for your issuer and the results of accessing the OIDC metadata and JWKS endpoints directly.

To reply, just mention my name @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[Colstuwjx]

I fixed this issue by manually change the code in oidc.py , and also I've found the scope config is necessary to make the okta works :

...
    scope: "openid email profile"
...

I'll submit the fix PR if needed.