Couldn't retrieve remote JWK set: Server returned HTTP response code: 401 error occurs when using OpenID Connect authentication with Oracle Identity Cloud Service


  • Liferay DXP 7.0-7.3
  • Oracle Identity Cloud Service
  • OpenID Connect authentication enabled


When OpenID Connect authentication is enabled in Liferay DXP and Oracle Identity Cloud Service (IDCS) is the configured provider, the following error may occur and users are not able to sign in to Liferay DXP:

Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Server returned HTTP response code: 401 for URL:
	at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(
	at com.nimbusds.jose.jwk.source.RemoteJWKSet.get(
	at com.nimbusds.jose.proc.JWSVerificationKeySelector.selectJWSKeys(
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.selectKeys(
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(
	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(
	at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(
	... 60 more
Caused by: Server returned HTTP response code: 401 for URL:
	at java.base/
	at java.base/
	at java.base/
	at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(
	at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(
	at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(
	... 67 more


The JWKS endpoint is protected by default in IDCS tenants. You can test it by

  1. Navigating to discovery document of your tenant: https://<tenant-base-url>/.well-known/openid-configuration
  2. Click on the "jwks_uri" from the response JSON (this will be the same URL as you see in the error): https://<tenant-base-url>/admin/v1/SigningCert/jwk

If you get HTTP 401, it means the endpoint is protected in your environment. OpenID Connect clients (like Liferay DXP) need to access this resource in order to load the server's signing certificate(s) to verify the IDToken received back with the authentication response.

To make the JWKS endpoint public:

  1. Login to your Oracle IDCS console
  2. Access the left navigation menu
  3. Go to Settings > Default Settings
  4. Under "Access Signing Certificate", switch the toggle to enable "Configure whether clients can access the signing certificate for the identity domain without logging in to Oracle Identity Cloud Service."
  5. Save


1 人中有 1 人觉得有帮助