Changing Audience Field in Issuer URI

Hello Okta Developers,

I am setting up OKTA with my Spring Boot Application 2.1.x. I built it following one of your examples. Got it work as expected. When I try to change the Audience section within the Authorization Server from api://default to client Id (My companies default), I get a 400 error stating

Identity Provider: Unknown

Error Code: invalid_request

Description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

I have searched up and down the forums looking to why this happening but I cant find anything.

Here is my call in the controller
@RequestMapping(value = { “/loginuser” }, method = RequestMethod.GET)
public String loginuser(@AuthenticationPrincipal OidcUser user, Model model, HttpServletRequest request) {
String email = user.getEmail();

	        model.addAttribute("email", email);
	        model.addAttribute("lastAccess", usersLastAccess.get(email));
	        model.addAttribute("firstName", user.getGivenName());
	        model.addAttribute("lastName", user.getFamilyName());
	        model.addAttribute("NickName", user.getNickName());

application.properties

okta.oauth2.issuer=https://dev-508476.okta.com/oauth2/aus1tv98c9u9yBuAk357
#okta.oauth2.issuer=https://dev-508476.okta.com/oauth2/default #If I use this issuer, Application runs perfectly 
okta.oauth2.clientId={my Client Id}
okta.oauth2.clientSecret={my Client Secret}

Thank you for your help

Hi @bstrick1

The error that you mentioned is caused by the redirect_uri query parameter in the url not being also added in Okta under Admin >> Applications >> your OIDC app >> General >> Login Redirect URIs.

Can you please add the URL and let us know how it goes?

I added http://localhost:8080/loginuser in the Login redirect URI.

I am still not getting in but I do get an error stating

[access_denied] Policy evaluation failed for this request, please check the policy configurations.

Hi @bstrick1

Can you please check under Security >> API (or directly API if using Developer Admin Console) >> Authorization Servers >> your authorization server >> Access Policies if you have a custom policy and rule for your OIDC application and OIDC flow used?

Hello @dragos
I have not added any Access Policies.

Hello @dragos

Do I need to add an Access Policy?

Hi @bstrick1

Yes, please add an Access Policy, as this is required to evaluate the user’s and app’s permissions on the authorization server.

“Polices are evaluated in priority order, as are the rules in a policy. The first policy and rule that matches the client request is applied and no further rule or policy processing occurs. If a client matches no policies, the authentication attempt fails and an error is returned.”

https://developer.okta.com/docs/guides/customize-authz-server/create-access-policies/

Hello @Govner

I added an access policies and rule to the authorization server. I am still getting a 400 error stating.

Error Code: invalid_request

Description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

I have also added all the URLS to the Login Redirect URI’s, I am still getting the error message after this.

Thank you,
Bryce

Hello @dragos

I am still having issues with the 400 error. Any suggestions?

Hi @bstrick1

Can you please copy the redirect_uri that you have set as query parameter in the link to /authorize endpoint and add it inside the OIDC app in Okta under Admin >> Applications >> OIDC app >> General >> Login Redirect URI?