DawidW.73260 (Customer) asked a question.
OAuth2 secured API Endpoint card throws unauthorized
Hi there,
I want to call Okta Workflows through Inline Hook.
I have a configuration:
- Inline hook with private key authentication, okta.workflows.invoke.manage scope, client id of a valid app, key from Key Management, Token URL that is a org auth server one (because Workflows do not work with custom ones)
- Okta Workflows with API Endpoint card, OAuth2 secured with an app already set in Inline Hook's client id
When I try to execute my Inline Hook, Inline Hook (the app set there) generates a token correctly (can see it in the System Log), but Workflow rejects it with Unauthorized. It works fine with OAuth2 disabled. It doesn't work if I choose "Any" app, not a specific one.
It's worth to mention that I have a identical configuration on one of my lower environments (other tenant/organization) and it works.
Could this be happening because of a specific organization configuration? Is there anything that I can do to troubleshoot?
Dawid
I tied CURLing my Workflow directly and I get: "Failed to authenticate request. Please check your headers"
I saw this article:
https://support.okta.com/help/s/article/error-failed-to-authenticate-request-please-check-your-headers-when-trying-to-invoke-api-endpoint-secured-with-oauth-2-0?language=en_US
but it did not help me. I do have two custom domains. I tried putting each of them to Token URL of my Inline Hook, but it didn't change anything. Is there anything else to do?
Hi @DawidW.73260 (Customer) , Thank you for reaching out to the Okta Community!
If you have confirmed parity and the same configuration works in your other tenants, the issue might be related to various Feature Flags that might be enabled on one org versus the other.
You can check some Feature Flags available for self-service by going to your Okta Admin Dashboard > Settings > Features.
Other features might not be available for self-service and you will need to contact the Support Team for a comparison.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Hi @Mihai Negoita - Okta (Okta, Inc.),
Thanks for you answer. I checked Feature Flags - at least those available for me to see - and they look pretty the same.
I noticed one difference between my orgs though: on the failing org, when I access Workflows from Okta Admin Console, I'm first redirected to an other, custom domain's login page.
Having that in mind, I read the article, but it did not help me.
I tried generating JWT token against both custom domain and default domain, but the token is still not accepted by Workflow.
When I do that different token generation, the only thing that changes is aud claim, iss claim always stays at default domain.
Could it be problem? Which claims Workflows expects, given my scenario with different domains? Is there any workaround for that if that's the case?
Dawid
Hi @Mihai Negoita - Okta (Okta, Inc.)
Could you please help with this supporting question: if app Okta Workflow's App Embed Link is of customdomain, does Workflow expects issuer claim to also be customdomain while verifying the token?
Hi @DawidW.73260 (Customer) ,
If you have an account with us and are a SuperAdmin/Case Admin, please open a case to work with my colleagues from the Support Team to investigate this further. They'll be able to access additional tools and resources to help you get to the bottom of it.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.