Access Springboot rest api via Auth token

mnibras · March 29, 2023, 12:02pm

I have a spring boot Rest API. This API is invoked by some other spring boot application. I’m using Okta for security. These are the steps I have followed

Create new App integration as API Services.
Create a default scope in the authorization server.
Create a new user in the okta Directory under People.

After configuring Okta, I’m trying to get access token for the created user as below

HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
headers.setBasicAuth("<client_id>", "<client_secret>");

MultiValueMap<String, String> map= new LinkedMultiValueMap<>();
map.add("grant_type", "client_credentials");
map.add("username", "<user_email>");
map.add("password", "<user_password>");

HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(map, headers);

ResponseEntity<MyAccessTokenResponse> response = restTemplate.exchange("https://<my_okta_domain>.okta.com/oauth2/default/v1/token",
HttpMethod.POST, entity, MyAccessTokenResponse.class);
String accessToken = response.getBody().getAccessToken();

My question is even when I pass the wrong <user_email>, <user_password> I’m getting an access token. Also if I’m not passing <user_email>, <user_password> I’m still getting an access token.

So how can I get the validated access token? Using this token, I will invoke a secured API and extract the user email and do my business logic

Thanks in advance !!!

Regis · March 31, 2023, 10:50am

Hi @mnibras ,

I advise you to enter a wrong email address, log the access token, then decode it with https://jwt.io/ to see if it has valid information. Also look in your system logs on your Okta dashboard for confirmation that login was successful.

In your code, you can send the access token to our /introspect endpoint to see if it is valid.

erik · March 31, 2023, 10:26pm

Hello,

It looks like you are using the Client Credentials grant type which is intended for services where there is no user context. Passing a username/password will have no effect (or cause an error), instead the client_id and client_secret in the Authorization header are used for authentication.
See here.

I assume you may have intended to setup the Resource Owner Password flow if you want to have the token associated with a user?

Okta does not recommend the Resource Owner Password flow and suggest to using the Authorization Code flow instead.

Thank You,