I’m developing a script that I’m hoping will change the password for a user under the context of the user but I’m running into a roadblock.
I’m using the following endpoint to authenticate a basic (non-admin) user. The username and password of the user are included with the body.
https://oktaorg.com/api/v1/authn
A “sessionToken” is returned, and I am then using that token in the Authorization header in the following endpoint to change the password:
https://oktaorg.com/idp/myaccount/password/change-password
I’m getting “401 (Unauthorized)”
I’m really not sure where to go from here so any help is appreciated.
Thanks!
A sessionToken is not a Bearer token that can be used as authorization against an Okta Endpoint.
To use the Replace a Password endpoint, the request must be authorized with an OAuth token granted to the user who wishes to change their password
Example curl here, where <YOUR_TOKEN_HERE> needs to be replaced with an access token:
https://subdomain.okta.com/idp/myaccount/password \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"profile": {
"password": "Abcd1234"
}
}'
More details about how to get an OAuth access token is covered in this guide: Implement OAuth for Okta | Okta Developer
For instance, you are trying to chain this after an /authn call, your sequence could look something like this
- request to
/authn with username/password in request body
a. once the user has completed primary authentication, a sessionToken will be returned
- request to
/oauth2/v1/authorize?... with the sessionToken in the query parameters →
a. once the OAuth flow is completed (see types of flows here, make sure the flow will return an access token), an Access Token will be returned
- request to
/idp/myaccount/password with the access token as Bearer Auth