In the blog post I followed, Matt Raible also adds /oauth2/default but after reading the question on this forum, I found that /oauth2/default should be removed when MFA is enabled and it is enabled in my app and everything works fine.
You’ll want to use an issuer with /oauth2/default. Otherwise, you can’t validate the token. I’m not sure how MFA fits into everything, but I know this will work if you’re not using MFA.
The error appears because your Okta tenant does not have API Access Management feature enabled through which you can create custom authorization servers with custom scopes and claims. Access tokens created through this authorization servers can be verified locally as the signing keys for them are returned under /keys endpoint.
This feature is free for developer and preview tenants, but paid in production ones. If you would like to have this feature enabled on your production tenant, please reach out to your Okta representative. If you would like to test the feature, you can register a free Okta developer tenant here.
Hi @dragos, thank you for your response. I am strictly following this post to configure my Angular 8 and Spring Boot applications. I am creating a SPA and using only the issuer and client-id to generate access token in Angular and decode in Spring Boot application. Do you think I should open a case in support for this?
Can you please check with a developer tenant if you are able to run the application successfully? If it works, then the API Access Management feature would need to be enabled on your production tenant.
If the application doesn’t work with the developer tenant, please feel free to send us an email to developers@okta.com and one of our Developer Support Engineers will further assist you.
I created an OIDC App in Okta as explained in the blog post. I do not know why access token cannot be verified in the Spring Boot Application even though I can login to the Angular App and view the UI.
Due to RFC restrictions, the Okta authorization server does not return the signing keys for access tokens. As such, access tokens issued through this authorization can not be verified locally.
Hi @dragos
I have read your response here and for Single Page Apps, I am using the Okta authorization server instead of a custom authorization server. I specify the issuer to be https://{company-name}.okta.com/oauth2/v1/authorize. Now I have a ‘blocked by CORS policy’ error even if I have added the required url to trusted origins.
Any suggestions to what can be done to resolve this?
Can you give a screenshot from the browser’s JavaScript console with the error or the message that it shows? I am curious to see the endpoint that the script is trying to access through CORS.
Thank you for providing the screenshot. The endpoint that you are trying to access is actually composed from two endpoints /oauth2/v1/authorize and /api/v1/authn. When joining together, Okta will return a 404 error.
We need to do first a request to /api/v1/authn to authenticate the user, after which we can do a request to /oauth2/v1/authorize (or /oauth2/{auth_server}/v1/authorize.
We have created a custom auth server after enabling API Access Management.
Should the issuer in the below config for the Angular 8 app be https://{company-name}.oktapreview.com/oauth2/{auth-server-id} or just https://{company-name}.oktapreview.com ?
When I try with https://{company-name}.oktapreview.com without /oauth2/{auth-server-id} in the Angular 8 app config and https://{company-name}.oktapreview.com/oauth2/{auth-server-id}/v1/authorize in the config of Spring Boot app, it is still failing and I am getting 401 Unauthorized error.
We are hosting the app on http, not https. Can this be the reason why this is not working?
I appreciate your time and effort. Thank you very much!
Regarding your first question, you need to set up the issuer to https://{company-name}.oktapreview.com/oauth2/{auth-server-id} .
Regarding your second question, can you please open a support ticket with us at developers@okta.com in order to have a look together at the logs and see the sequence of calls and what are the next steps to resolve this?