GopaK.04276 (Customer) asked a question.
Hi, I hit the userinfo using access token at the endpoint https://dev-xxxx.okta.com/oauth2/default/v1/userinfo - I had been testing a browser based SPA application for a while now and getting userinfo without any issues, my SPA setting are as below, and I get the accesstoken and if I do a curl -H "Authorization: Bearer <access token>" https://dev-xxxx.okta.com/oauth2/default/v1/userinfo - I get an HTTP 200 ok
baseUrl: 'https://dev-xxxxokta.com',
redirectUri: 'http://localhost:8180/',
clientId: 'yyyy',
authParams: {
pkce: true,
responseMode: 'query',
scopes: ['openid', 'email', 'profile']
}
Now I wanted to use okta from my android app too, so I followed the example here - https://developer.okta.com/blog/2021/01/06/android-login - and am able to succesfuly get access/id/refresh tokens. My android config is below
private OIDCConfig mOidcConfig = new OIDCConfig.Builder()
.clientId("zzzzzzz")
.redirectUri("my.app:/login")
.endSessionRedirectUri("my.app:/logout")
.scopes("openid", "email", "profile", "offline_access")
.discoveryUri("https://dev-xxxxx.okta.com")
.create();
Now I get accesstoken using sessionClient.getTokens().getAccessToken(), I also verified doing an introspect using sessionClient.introspectToken(sessionClient.getTokens().getAccessToken()) and ensured the introspect prints everything perfectly ! But if I now use the access token and try to get userinfo, that fails !! If I do a curl -H "Authorization: Bearer <access token>" https://dev-xxxx.okta.com/oauth2/default/v1/userinfo, I get an HTTP 401 invalid_token as below
HTTP/2 401
date: Mon, 22 Mar 2021 21:50:21 GMT
server: nginx
public-key-pins-report-only: pin-sha256="r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly"
x-okta-request-id: YFkRHX6MyN5Hitr8d1Wv2AAAC@E
x-xss-protection: 0
p3p: CP="HONK"
access-control-expose-headers: WWW-Authenticate
www-authenticate: Bearer authorization_uri="http://dev-xxxxx.okta.com/oauth2/ausz5enk2O6miEQwX4x6/v1/authorize", realm="http://dev-xxxxx.okta.com", scope="openid", error="invalid_token", error_description="The access token is invalid.", resource="/oauth2/default/v1/userinfo"
I checked both the apps SPA and Native and its identical except of course the client ids and the redirect/logout URIs etc.. So why does one work and the other not ? Any clues will be really helpful, I have spent many hours on this now unsuccesfully ;(
I also tried to verify the token using the okta golang JwtVerifier - and interestingly the non-working access-token fails the verifier saying "could not decode token: failed to verify with any of the keys" ! The working token is verififed just fine.
Nevermind, I found the issue .. i just had to set the discoveryURI to include the "oauth2/default" path - found that clue from this link (https://devforum.okta.com/t/okta-react-native-jwt-verifier-service-unable-to-verify-access-tokens-error-while-resolving-signing-key-for-kid/6134)
private OIDCConfig mOidcConfig = new OIDCConfig.Builder()
.clientId("yyyyyy")
.redirectUri("nextensio.agent:/login")
.endSessionRedirectUri("nextensio.agent:/logout")
.scopes("openid", "email", "profile", "offline_access")
.discoveryUri("https://dev-xxxx.okta.com/oauth2/default")
.create();