ylnh1 (ylnh1) asked a question.
I was experimenting the Token Exchange Flow (https://developer.okta.com/docs/guides/set-up-token-exchange/-/main/) . I have enabled this feature: OAuth 2.0 On-Behalf-Of Token Exchange feature
However, I was not able to go through the steps listed by this document
Issue *1 "Authorization Code with PKCE request": This document says sent /v1/authorize request via POST, I never get it work using curl or post man. After searching around, I think this document is missing a step on login. Even I add login step, and I got the sessionToken, still I cannot get this step work in either Post request as documented, or change to GET request as many browser based application does.
Because of this issue, I leverage a simple sample App (GitHub - okta/samples-js-react: React Auth SDK sample) to get the Subject Access Token. This App can let me get what we need in step: Authorization Code with PKCE request and Exchange code for tokens request
So, when I try the step: Token exchange request from service app to API, I got the error :
{"error":"access_denied","error_description":"Policy evaluation failed for this request, please check the policy configurations."}
The System Log says:
Hello @ylnh1 (ylnh1) Thank you for reacting out to our Community!
There was a similar issue with a different client question on the forum, please see below :
https://support.okta.com/help/s/question/0D54z00006xJTVVCA4/oautherror-policy-evaluation-failed-for-this-request-please-check-the-policy-configurations?language=en_US
The response should fix your problem as well.
Additionally if you need further assistance we recommend to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
https://devforum.okta.com/
Community members help others by clicking Like or Select as Best on responses. Try it today.
@ylnh1 (ylnh1) what's your full authorize url? the endpoint can find from :
https://xxx.okta.com/.well-known/openid-configuration
Does your tenant with API Access Management? can you find authorization server tab in the API?
Thanks. I was using my developer Okta tenant, and I only configured default API server.
I followed the document steps ( (https://developer.okta.com/docs/guides/set-up-token-exchange/-/main/) and configured a NativeApp, and App1. The App1 got the access_token from NativeApp, and trying to exchange another access token with different scopes. But failed with above mentioned error.
I did configured the access policy per steps mentioned by the document. So, I think it is a different issue mentioned by @paul.stiniguta1.508386743840768E12 (Okta, Inc.)
This is my API server
Access AP1 policy Rules:
Access API2 policy