I have Spring boot rest api application. I didnt create any UI. So am testing Authentication and Authorization with Postman with Authorization code flow.
I have got Authorization code with /default/v1/authorize endpoint And i have got access token with default/v1/token.
And i continued to test POST api’s by passing access_token in the header as Authorization header example (Bearer eyJraWQiOiJTTFhaMVRXY3lzNjNSY01xaDFqQVBlaDZwaF9Walhzcm1xTHU2V2RKUHJVIiwiYWxnIjoiUlMyNTYifQ.
eyJ2ZXIiOjEsImp0aSI6IkFULm9BaUhJYlpIRzNrN0JBRFZZaWNESDFHeVFKUzdRUHBVZEJzVjdxQjFxQUUiLCJpc3MiOiJodHRwczovL2Rldi03MTQxOTgub2t0YS5jb20vb2F1dGgyL2
RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTUzMzI1NzQ1LCJleHAiOjE1NTMzMjkzNDUsImNpZCI6IjBvYWNvcDJlZzVqQWtMY3YxMzU2IiwidWlkIjoiMDB1YzhldHpvaVdQSWpjZ3gzNTYiLCJzY3AiOlsib3BlbmlkIl0sInN1YiI6ImdyYWNoZXBhbGxpQGNyaXlhYS5jb20ifQ.
CucTgbeb2A_i7-s5nv4gPDcXELQTNrIKyEMvLpF4T8WDOWHDyELoTma7XbsCCiJw2KrieWKPs0e8fqmlTumjZVvjAJg1kPwbG4JgwYT-HtzIN6AVaIM4uhYlgewKXe4SPqKAxiWWKhy8uVojAjAi6QOI7UapSKDD-_8DkSwlc21ievQ706OehPa971vW4GqJfVOhnMWU3pUcFHEqv74HlcGCRMEqpMyDjIKkNmPlBZSmXg8A2TLq5dDXHi
IxgJqrDousSghzVNmA-cDfNvWafB8oLI5upVMcnzhKUD_k-nR5RmRNNu2KMRkkUBg3C8kCwMXI-Bd6pGH7Y8au9U4UNA)
And Accept header.
But i am getting 403 forbidden error. Do i need to pass any other headers? Please help on this
To access /token and retrieve the JWT tokens from Okta, you will need to pass the client id and client secret, either in the body or in the authorization header, under the following format:
Hi Drago’s,
I have got the access token by passing the client I’d and client sceret.
But am asking is now am passing access token which I got to POST API then it is threw 403 for bidden error.
Note:you can see I have access token with bearer.
Please help on this.
Thanks in advance
Step1: Accessed this url in browser http:localhost:8080
Step2: Redirected to Okta sign in page and logged in Okta.
Step3: It is redirected to my application(As I configured in redirect_uri in OKta)
Step4: oauth2/default/v1/authorize
got the the authorization code
Step5: passed the authorization code to the below token api
oauth2/default/v1/token, attaching the screen shot of this
with the above step Got the access_token
Step6: Accessed My application Rest Post API http://localhost:8080/person with the above access token as a header Authorization: Bearer (access_token) and Accept: application/json
Content-type: application/json and attached the screen shot.
How are you capturing and verifying the authorization header and bearer token on your application? There might be a misconfiguration on the jwt verifier that you have.
When passing a bearer token to a resource server, in order to retrieve the resources accordingly, you will need to implement a method on the server to capture the authorization header, parse the bearer token and retrieve the resources based on the user for which the access token was issued.
Capturing the authorization server should be an easy step from the backend. You will need to look for “Authorization” header, split/explode the value of the header (it should look something like “Bearer eyJraW…”) and take the second parameter which is the bearer/access token.
Parsing the token can be done through a JWT verifier or through a logic that you implement. You can find further details about this process and the libraries that Okta currently has here.
Retrieving the resources can be done based on the subject (sub) claim of the bearer token. Once you verify the authenticity, you can retrieve all the requested details that the user from the subject has access to.
