Access Springboot rest api via Auth token

mnibras · March 29, 2023, 12:02pm

I have a spring boot Rest API. This API is invoked by some other spring boot application. I’m using Okta for security. These are the steps I have followed

Create new App integration as API Services.
Create a default scope in the authorization server.
Create a new user in the okta Directory under People.

After configuring Okta, I’m trying to get access token for the created user as below

HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
headers.setBasicAuth("<client_id>", "<client_secret>");

MultiValueMap<String, String> map= new LinkedMultiValueMap<>();
map.add("grant_type", "client_credentials");
map.add("username", "<user_email>");
map.add("password", "<user_password>");

HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(map, headers);

ResponseEntity<MyAccessTokenResponse> response = restTemplate.exchange("https://<my_okta_domain>.okta.com/oauth2/default/v1/token",
HttpMethod.POST, entity, MyAccessTokenResponse.class);
String accessToken = response.getBody().getAccessToken();

My question is even when I pass the wrong <user_email>, <user_password> I’m getting an access token. Also if I’m not passing <user_email>, <user_password> I’m still getting an access token.

So how can I get the validated access token? Using this token, I will invoke a secured API and extract the user email and do my business logic

Thanks in advance !!!

Regis · March 31, 2023, 10:50am

Hi @mnibras ,

I advise you to enter a wrong email address, log the access token, then decode it with https://jwt.io/ to see if it has valid information. Also look in your system logs on your Okta dashboard for confirmation that login was successful.

In your code, you can send the access token to our /introspect endpoint to see if it is valid.

erik · March 31, 2023, 10:26pm

Hello,

It looks like you are using the Client Credentials grant type which is intended for services where there is no user context. Passing a username/password will have no effect (or cause an error), instead the client_id and client_secret in the Authorization header are used for authentication.
See here.

I assume you may have intended to setup the Resource Owner Password flow if you want to have the token associated with a user?

Okta does not recommend the Resource Owner Password flow and suggest to using the Authorization Code flow instead.

Thank You,

Post		Replies	Views
Okta + Spring Boot - how to get access token Questions spring , java	6	8802	February 13, 2024
Unable to obtain new access token for resource 'null' Questions	4	7269	September 20, 2019
Get access token using Javascript Questions	5	8976	January 29, 2020
403 forbidden for Rest API with Okta OAuth/OIDC	9	12387	January 17, 2024
OAuth2 with OKTA in springboot API	5	1709	February 15, 2024

Access Springboot rest api via Auth token

Related topics