Getting ID Token rather than access token Skip to main content
https://support.okta.com/help/answers?id=9060z00000078kdqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Daniel KasmerogluDaniel Kasmeroglu 

Getting ID Token rather than access token

In advance: I'm a novice regarding security topics in general (and thus in OAuth2 as well) so it might be the case that I'm simply missing something or have some sort of a misunderstand (and it's likely that I might mistake some terms).

Short description
* Web app based upon Spring Boot 2.0.0.RELEASE and thus Spring Security 5
* I'm using the authorization code flow (description: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code)
* I'm using the exactly same setup for Auth0 where it works (obviously credentials and urls are different)

Security configuration
spring:
    
  security:
    oauth2:
      client:
        registration:
          okta:
			client-id:                  '11111111111111111111'
			client-secret:              '000011112222333344445555666677778888AAAA'
            authorization-grant-type:   authorization_code
            redirect-uri-template:      'http://localhost:8080/login/oauth2/code/okta'
            scope:                      
              - openid 
              - profile 
              - email
        provider:
          okta:
            authorization-uri:          'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/authorize'
            token-uri:                  'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/token'
            user-info-uri:              'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/userinfo'
            jwk-set-uri:                'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/keys'

My issue is as follows: I need to make a request to the /userinfo endpoint, so I'm supplying the bearer token gathered through the login process. That doesn't work as the /userinfo endpoint always gives me a 401 Unauthorized response.
Looking into it this error response seems correct to me as the issue at hand is obviously my token. The token doesn't seem to come from the configured authorization servers as I looked at the decoded JWT and the audience didn't match (another indicator was the expiration time which didn't match the configuration of the authorization server).
But the audience parameter matched the authentication configuration within the application configuration (configuration tab "Sign On").

Question 1: Why don't I get a token matching the authorization servers even though I only authorize against this server?
Question 2: Is there any other sensible way that allows me to make a request to the /userinfo endpoint?

Best regards
Daniel Kasmeroglu
 
Sara DaqiqSara Daqiq (Okta, Inc.)
Hey Daniel, 
I suggest you follow these steps from browser (/authorize)  and postmant (/token) instead of your script to undestand the flow first. 

Follow this steps to get token: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code

This will give you access token and and id_token. 
User-added image
Add the access token in the highlighted section this will give you information about the user. 

Here is our postmant collection https://developer.okta.com/reference/postman_collections/
The above calls are in this collection API Access Management (OAuth 2.0)

If this does not help. Please open a ticket and we will gladly help