<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VCDSA3Okta Classic EngineAdministrationAnswered2018-09-05T01:30:13.000Z2018-07-02T09:15:29.000Z2018-07-06T21:44:35.000Z

DanielK.66823 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Getting ID Token rather than access token
In advance: I'm a novice regarding security topics in general (and thus in OAuth2 as well) so it might be the case that I'm simply missing something or have some sort of a misunderstand (and it's likely that I might mistake some terms).

 

Short description

* Web app based upon Spring Boot 2.0.0.RELEASE and thus Spring Security 5

* I'm using the authorization code flow (description: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code)

* I'm using the exactly same setup for Auth0 where it works (obviously credentials and urls are different)

 

Security configuration 
  1.  spring:  security:  oauth2:  client:  registration:  okta: client-id: '11111111111111111111' client-secret: '000011112222333344445555666677778888AAAA'  authorization-grant-type: authorization_code  redirect-uri-template: 'http://localhost:8080/login/oauth2/code/okta'  scope:   - openid   - profile   - email  provider:  okta:  authorization-uri: 'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/authorize'  token-uri: 'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/token'  user-info-uri: 'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/userinfo'  jwk-set-uri: 'https://myapp.oktapreview.com/oauth2/aaaabbbbccccddddeeee/v1/keys'
 

My issue is as follows: I need to make a request to the /userinfo endpoint, so I'm supplying the bearer token gathered through the login process. That doesn't work as the /userinfo endpoint always gives me a 401 Unauthorized response.

Looking into it this error response seems correct to me as the issue at hand is obviously my token. The token doesn't seem to come from the configured authorization servers as I looked at the decoded JWT and the audience didn't match (another indicator was the expiration time which didn't match the configuration of the authorization server).

But the audience parameter matched the authentication configuration within the application configuration (configuration tab "Sign On").

 

Question 1: Why don't I get a token matching the authorization servers even though I only authorize against this server?

Question 2: Is there any other sensible way that allows me to make a request to the /userinfo endpoint?

 

Best regards

Daniel Kasmeroglu

  • 1 answer
  • 4.3K views
This question is closed.
Loading
Getting ID Token rather than access token