403 forbidden for Rest API with Okta

H,

I am doing authentication with Okta and OAuth2.

I have Spring boot rest api application. I didnt create any UI. So am testing Authentication and Authorization with Postman with Authorization code flow.

I have got Authorization code with /default/v1/authorize endpoint And i have got access token with default/v1/token.

And i continued to test POST api’s by passing access_token in the header as Authorization header example (Bearer eyJraWQiOiJTTFhaMVRXY3lzNjNSY01xaDFqQVBlaDZwaF9Walhzcm1xTHU2V2RKUHJVIiwiYWxnIjoiUlMyNTYifQ.
eyJ2ZXIiOjEsImp0aSI6IkFULm9BaUhJYlpIRzNrN0JBRFZZaWNESDFHeVFKUzdRUHBVZEJzVjdxQjFxQUUiLCJpc3MiOiJodHRwczovL2Rldi03MTQxOTgub2t0YS5jb20vb2F1dGgyL2
RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTUzMzI1NzQ1LCJleHAiOjE1NTMzMjkzNDUsImNpZCI6IjBvYWNvcDJlZzVqQWtMY3YxMzU2IiwidWlkIjoiMDB1YzhldHpvaVdQSWpjZ3gzNTYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6ImdyYWNoZXBhbGxpQGNyaXlhYS5jb20ifQ.
CucTgbeb2A_i7-s5nv4gPDcXELQTNrIKyEMvLpF4T8WDOWHDyELoTma7XbsCCiJw2KrieWKPs0e8fqmlTumjZVvjAJg1kPwbG4JgwYT-HtzIN6AVaIM4uhYlgewKXe4SPqKAxiWWKhy8uVojAjAi6QOI7UapSKDD-_8DkSwlc21ievQ706OehPa971vW4GqJfVOhnMWU3pUcFHEqv74HlcGCRMEqpMyDjIKkNmPlBZSmXg8A2TLq5dDXHi
IxgJqrDousSghzVNmA-cDfNvWafB8oLI5upVMcnzhKUD_k-nR5RmRNNu2KMRkkUBg3C8kCwMXI-Bd6pGH7Y8au9U4UNA)
And Accept header.

But i am getting 403 forbidden error. Do i need to pass any other headers? Please help on this

Hi @Gayithri

To access /token and retrieve the JWT tokens from Okta, you will need to pass the client id and client secret, either in the body or in the authorization header, under the following format:

"Authorization: Basic " + base64_encode(client_id + “:” + client_secret)

You can find here further details on how to successfully do authorization code flow.

Hi Drago’s,
I have got the access token by passing the client I’d and client sceret.
But am asking is now am passing access token which I got to POST API then it is threw 403 for bidden error.
Note:you can see I have access token with bearer.
Please help on this.
Thanks in advance

Hi @Gayithri

Can you please tell me which endpoint exactly you are trying to access using the bearer token?

Hi Dragois,

Can you please tell me which endpoint exactly you are trying to access using the bearer token?

answer : my application Rest POSt API (http://localhost:8080/person this is not Okta end point).

Let me tell you the steps what I did:

Step1: Accessed this url in browser http:localhost:8080

Step2: Redirected to Okta sign in page and logged in Okta.

Step3: It is redirected to my application(As I configured in redirect_uri in OKta)

Step4: oauth2/default/v1/authorize

got the the authorization code

Step5: passed the authorization code to the below token api
oauth2/default/v1/token, attaching the screen shot of this

with the above step Got the access_token

Step6: Accessed My application Rest Post API http://localhost:8080/person with the above access token as a header Authorization: Bearer (access_token) and Accept: application/json
Content-type: application/json and attached the screen shot.

.

Please help on this. Am not getting any Clue.

Hi @Gayithri

How are you capturing and verifying the authorization header and bearer token on your application? There might be a misconfiguration on the jwt verifier that you have.

Hi Dragos,

Ohh I am not capturing and verifying the bearer token in my application.
I am not aware of the jwt verifier.

Can u please tell me how to capture and verify the token and configuring the jwt in my application

@Dragos,

can you please help on this?

Hi @Gayithri

When passing a bearer token to a resource server, in order to retrieve the resources accordingly, you will need to implement a method on the server to capture the authorization header, parse the bearer token and retrieve the resources based on the user for which the access token was issued.

  1. Capturing the authorization server should be an easy step from the backend. You will need to look for “Authorization” header, split/explode the value of the header (it should look something like “Bearer eyJraW…”) and take the second parameter which is the bearer/access token.
  2. Parsing the token can be done through a JWT verifier or through a logic that you implement. You can find further details about this process and the libraries that Okta currently has here.
  3. Retrieving the resources can be done based on the subject (sub) claim of the bearer token. Once you verify the authenticity, you can retrieve all the requested details that the user from the subject has access to.