403 forbidden from token endpoint

Hello I am trying to access the token endpoint from my javascript Cordova application and I am getting the 403 Forbidden error. I have verified that the client_id and other parameters are accurate by running the same scenario through Postman, but when I run the same request from my application I get the 403 error.

I can get the authorization_code in the app as well as receive the access_token and id_token if I call the authorization endpoint with id_token and token, however when I try the PKCE route I am running into that 403 Forbidden error.

I have had the issue with PKCE from a “Native” app. I have also tried a “Web” app but have gotten the same results. All seems to work through Postman but then I get the 403 Forbidden error in the app.

Are you using Ionic + Cordova or just JavaScript? The reason I ask is because I’ve successfully used Ionic AppAuth to integrate authentication with Okta.

I don’t intend to use Ionic, it is just a JavaScript app.

I’ll admit. I haven’t tried to use our APIs with raw JavaScript. I tend to use a library, like AppAuth-JS.

Okay, I can look into that library. Just seems a bit strange that Postman will connect through fine while using the “code” from Postman does not.

Hi @whodeee

Can you please check https://github.com/dragosgaftoneanu/okta-js-scripts/blob/master/auth-code-flow-pkce-spa/index.html? This sample does authorization code flow with PKCE in native JavaScript and gets the JWTs from Okta.

Thanks @dragos, I’ll check it out and let you know.

@dragos and @mraible I was able to solve my issue! I had to add “file://” to my Trusted Origin as well as adding it as a Redirect_URI for my app, then all worked well. Any issues you see using that?

Were you able to add file:// as a Trusted Origin on Okta? I didn’t think that was possible. I thought only http:// and https:// was supported.

Yes, I was able to add it - specifically file://localhost:{portnumber}

@dragos and @mraible do either of you seen any issues with that Trusted Origin?

Hi @whodeee

There was a previous issue with adding file:// as extension for the URL, but it has been resolved, so the application should work successfully. :slight_smile:

Thanks @dragos I thought I saw some mention of that before, but I couldn’t find where.