Missing kid values in JWT access_token

When trying to configure SSO with access_token you get the following error :

{OidcRealm: oidc-okta}: Failed to authenticate user 'user@example.com'. JWT is not valid for this realm.

Check that the public key exists on the key endpoint (https://<IDP Tenant>/oauth2/v1/keys),
You need the whole JWT to get the kid, 
 
For example you get this from  https://<IDP Tenant>/oauth2/v1/keys:

{"keys":[{"kty":"RSA","alg":"RS256","kid":"qCkztMET6iHpT7pXpnAjKQwIhgHx_x5BF0h-Xa-RCng","use":"sig","e":"AQAB","n":"5fSL415XktBjYB-ZcoTI-I80Ifz-E9iAiQqtrsUoGBlQVAe6ySMQIEAFIfONsDtYH6f5TfUs3pS6g48KqAHNlCg_ziccQuA7SlSOyXkcPXzUiu6zgbkBwzyY6sLEL6HncjgFynmUEQ6NIhPJv6RrG_XO3pnxK7gmQTsjZx_5VxDmx-ofHFw29_eKNWGDgc6Y07jwsLfA6WkfzDZ_nJH29quihE9qFee2LtsAWYnI55fGoLk0hvpzZ0X3prHp3A6iLZZ3FMoEbimmOHhl4X_MAvKHPze1SN9aInSV3Mv7x_UJ21Y40bj5gH_2qEWzL0sh8gyek1xiRgg54VH3zvfn4Q"},{"kty":"RSA","alg":"RS256","kid":"75yJfazyW-OIaaGxQpNjbu7bsgI1ixQurQ7_NNDdm4E","use":"sig","e":"AQAB","n":"jyQaUULtPvBweq9NuCo1ZNb01tWIhQ-3uWP6K7VWiOHjGam7hpPVq-UP0rxCDdJLJTNBALhcuprC7gHf-FLwdVhnhmk6RsE5u-bLVaqqjYK-nXftNydmcn2n0bNTKOLe2ixTxVEiE3GKVsG8Deoa9YqvW095ouTe3YCOpH2msxKnIOHuK5CF0GUuSnlxyikjvTzyNsxbcc3ibrmD7hGjmWfHvT48akrPG-2auK38jglqaGTYJ2lsdOkuNQ4LbpquaFeh1eJb-KrJX-4uNqoHh8xziLpStoncmN9yu7hQ4bVMh0YzrQvLxWI7LSBzemhby6uID156ypER0xdgQR6Htw"}]}

one of those kid values "kid":"qCkztMET6iHpT7pXpnAjKQwIhgHx_x5BF0h-Xa-RCng" needs to match with the kid on the JWT.
Sometimes with access_token, it's not there, which means AuraDB can't verify the token, but the timing matters because those keys get rotated, the kid is in the header, Not the claims.

With reference to : Signature Validation Failed on Access Token

It states:

By design, Okta does not provide keys for access tokens minted by an Okta org. This is because the access token from an Okta org is an opaque token that is considered to be an Open ID Connect (Authentication use case) token vs an OAuth (Authorization use case) token.

This means that the access token being used cannot be considered an oAuth token. In consequence, the server will fail to validate it.

Okta organizations with API Access Management as a paid feature, or organizations with a developer account can use a custom authorization server to request a token minted with its own `kid`. The rest of the organizations need to fall back to ID Tokens.