Accessing secure service endpoints from processes


#1

I am working on building a demo to show how we could use Okta for processes to hit secure endpoints. These processes are background processes like scheduled jobs, console apps or may be other services. I read some of your documentation and determined this to be a machine to machine auth and concluded that this should use client credentials for auth. Is this right?

These processes will be owned by Active Directory accounts and we’ll tie our Okta to AD. In this case, is there a simpler, almost-like-magic way of authorizing the request from the process? Something where Okta knows about AD, the process owner is in AD and so Okta authorizes the request from the process?

I proceeded with the machine to machine auth solution. I believe here I first request a token using the client_id and client_secret, then I use the token in subsequent requests to secure endpoints. Is this right? But before I write this code, I wanted to try out the token request using Postman. So I set up a web application in my Okta preview, then used Postman to POST and request with the following info:

And I get 403 Forbidden. I am guessing there is some problem with my set up, but I can’t figure it out… :worried:

I would love your help on this.

Thanks!


#2

Hey @subuiyer!
Take a look at the “Set Up Your Authorization Server” section of this post.

Make sure you setup the custom scope (if you didn’t already). If that doesn’t help let us know!


#3

I hope you were able to find the issue here using the link @bdemers posted.
If not, here’s the issue in your setup -

  • You mentioned that you setup a “Web application” in Okta preview. Did you select “Web” when creating the application or did you select “Service”? If you want to use client credentials flow, you should be using “Service”
  • Make sure that you have created a custom scope in your Auth Server as you won’t be able to use OpenID scopes.

This document is helpful - https://developer.okta.com/authentication-guide/implementing-authentication/client-creds


#4

Thanks for the prompt replies! But I cant get this to work.
Let me explain what I have tried:

  • In Okta dev console, I create a new application of type Service and call in CoolServiceApp. The app gets created and I see the client id and secret.
  1. Then I go to API - Auth Servers. I have 1 auth server called default. I click the pencil icon to edit it. I go to the Scopes tab and create a new scope called custom_mod; this is not the default scope and i dont have the ‘Include in metadata’ checked. I haven’t added/removed anything in the Claims and Access Policies tabs.
  2. I go to Token Preview tab and set my Request Properties OAuth/OIDC Client = CoolServiceApp, Grant Type = Client Credentials and Scopes = custom_mod and click Preview Token and I see a token. I am assuming this means that my set up is right and complete.
  3. Next I use Postman with the following:
    • Url = https://dev-851196.oktapreview.com/oauth2/default/v1/token
    • Request Type: POST
    • Authorization: in Postman, I go to the Basic Auth tab, set the Client ID for CoolServiceApp as the Username, Client Secret as the Password, hit refresh headers and I now have my Authorization header
    • In data, I set grant_type=client_credentials, scope=custom_mod
    • Click Send

And I get 403 Forbidden response. This is just a sample app, so I can share my client id and secret if you want to try this out yourself.
Where can I find logs? I go to API - System Log, CoolServiceApp - View Logs and I dont see anything related to these requests I make.

What am I missing?

Thanks so much!


#5

The steps you mentioned seem all right.
I tried the same with my org and I’m not facing any issues.
Here are some screenshots from my postman requests -

Also for the logs, you should be able to see the requests made on the “System Log” section of the “Dev Console” as shown in the screenshot above.