<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D51Y00007ynyLxSAIOkta Classic EngineSingle Sign-OnAnswered2021-05-13T03:47:25.000Z2020-03-03T23:42:00.000Z2020-04-02T02:09:32.000Z

SanjayaV.79926 (Red Energy) asked a question.

Importance of User-Agent and X-Forwarded-For headers in trusted application authentication

I have a requirement to authenticate users within a back-end application. According to documentation in https://developer.okta.com/docs/reference/api/authn, it seems I should be using the trusted application authentication.

 

In the example given for trusted application authentication, there are headers for `User-Agent` and `X-Forwarded-For` to pass information to Okta about the end user.

 

From a quick test I did, it does not seem to be mandatory to have those two headers for a successful authentication. For example, the following request succeeds:

 

```

curl -X POST \

https://mydomain.okta.com/api/v1/authn \

-H 'Accept: application/json' \

-H 'Authorization: SSWS MyAPIToken' \

-H 'Content-Type: application/json' \

-d '{

"username": "user@example.com",

"password" : "correcthorsebatterystaple"

}

```

 

(Note that I have a `SSWS` header to make the request a trusted application authentication, but there's no X-Forwarded-For or User-Agent headers set in the request)

 

My questions are:

  1. What would be the impact of not passing through User-Agent and X-Forwarded-For headers?
  2. It is possible that Okta would start rejecting requests with high volume of authentication requests originating from my back-end application? (Legitimate volume due to multiple users trying to authenticate themselves)

 

 

 

 

 

 


  • Hey there! Sorry for the lack of response here on the Discussions forum. If you’re still looking for an answer, I would recommend checking out our Developer resources, including the Developer Forum (https://devforum.okta.com/) and documentation. If you are unable to find the solutions you're looking for there, we would encourage you to contact our dedicated Developer Support team at developers@okta.com, and they will be able to help you out.

    Expand Post
This question is closed.
Loading
Importance of User-Agent and X-Forwarded-For headers in trusted application authentication