<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008tZrM5CAKOkta Classic EngineAPI Access ManagementAnswered2025-09-13T09:01:51.000Z2023-03-07T05:28:17.000Z2023-03-09T21:16:50.000Z

ylnh1 (ylnh1) asked a question.

March 7, 2023 at 5:28 AM
Problem of experimenting the Token Exchange Flow

I was experimenting the Token Exchange Flow (https://developer.okta.com/docs/guides/set-up-token-exchange/-/main/) . I have enabled this feature:  OAuth 2.0 On-Behalf-Of Token Exchange feature

 

However, I was not able to go through the steps listed by this document

 

Issue *1 "Authorization Code with PKCE request": This document says sent /v1/authorize request via POST, I never get it work using curl or post man. After searching around, I think this document is missing a step on login. Even I add login step, and I got the sessionToken, still I cannot get this step work in either Post request as documented, or change to GET request as many browser based application does.

Because of this issue, I leverage a simple sample App (GitHub - okta/samples-js-react: React Auth SDK sample) to get the Subject Access Token. This App can let me get what we need in step: Authorization Code with PKCE request and Exchange code for tokens request

 

So, when I try the step: Token exchange request from service app to API, I got the error :

{"error":"access_denied","error_description":"Policy evaluation failed for this request, please check the policy configurations."}

 

The System Log says:

Image is not available

 

 

 

 

  • 3 answers
  • 1.29K views

  • Paul S. (Okta, Inc.)

    Hello @ylnh1 (ylnh1)​ Thank you for reacting out to our Community!

     

    There was a similar issue with a different client question on the forum, please see below :

    https://support.okta.com/help/s/question/0D54z00006xJTVVCA4/oautherror-policy-evaluation-failed-for-this-request-please-check-the-policy-configurations?language=en_US

     

    The response should fix your problem as well.

    Additionally if you need further assistance we recommend to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.

    https://devforum.okta.com/

     

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    Expand Post

  • ylnh1 (ylnh1)

    Thanks. I was using my developer Okta tenant, and I only configured default API server.

    I followed the document steps ( (https://developer.okta.com/docs/guides/set-up-token-exchange/-/main/) and configured a NativeApp, and App1. The App1 got the access_token from NativeApp, and trying to exchange another access token with different scopes. But failed with above mentioned error.

     

    I did configured the access policy per steps mentioned by the document. So, I think it is a different issue mentioned by @Paul S. (Okta, Inc.)​ 

     

    This is my API server

    Image is not available
    Click Default authorization, then go to Access Policies, I have

    Image is not available
     

    Access AP1 policy Rules:

    Image is not available
     

    Access API2 policy

    Image is not available
    API2 Access Policy Rules (tried check Client Credentials also tried uncheck Client Credentials, the same error)

    Image is not available

    Expand Post
This question is closed.
Loading
Problem of experimenting the Token Exchange Flow