Changing Audience Field in Issuer URI

Questions
1

Hello Okta Developers,

I am setting up OKTA with my Spring Boot Application 2.1.x. I built it following one of your examples. Got it work as expected. When I try to change the Audience section within the Authorization Server from api://default to client Id (My companies default), I get a 400 error stating

Identity Provider: Unknown

Error Code: invalid_request

Description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

I have searched up and down the forums looking to why this happening but I cant find anything.

Here is my call in the controller
@RequestMapping(value = { “/loginuser” }, method = RequestMethod.GET)
public String loginuser(@AuthenticationPrincipal OidcUser user, Model model, HttpServletRequest request) {
String email = user.getEmail();

	        model.addAttribute("email", email);
	        model.addAttribute("lastAccess", usersLastAccess.get(email));
	        model.addAttribute("firstName", user.getGivenName());
	        model.addAttribute("lastName", user.getFamilyName());
	        model.addAttribute("NickName", user.getNickName());

application.properties

okta.oauth2.issuer=https://dev-508476.okta.com/oauth2/aus1tv98c9u9yBuAk357
#okta.oauth2.issuer=https://dev-508476.okta.com/oauth2/default #If I use this issuer, Application runs perfectly 
okta.oauth2.clientId={my Client Id}
okta.oauth2.clientSecret={my Client Secret}

Thank you for your help

2

Hi @bstrick1

The error that you mentioned is caused by the redirect_uri query parameter in the url not being also added in Okta under Admin >> Applications >> your OIDC app >> General >> Login Redirect URIs.

Can you please add the URL and let us know how it goes?

3

I added http://localhost:8080/loginuser in the Login redirect URI.

I am still not getting in but I do get an error stating

[access_denied] Policy evaluation failed for this request, please check the policy configurations.

4

Hi @bstrick1

Can you please check under Security >> API (or directly API if using Developer Admin Console) >> Authorization Servers >> your authorization server >> Access Policies if you have a custom policy and rule for your OIDC application and OIDC flow used?

5

Hello @dragos
I have not added any Access Policies.

6

Hello @dragos

Do I need to add an Access Policy?

7

Hi @bstrick1

Yes, please add an Access Policy, as this is required to evaluate the user’s and app’s permissions on the authorization server.

8

“Polices are evaluated in priority order, as are the rules in a policy. The first policy and rule that matches the client request is applied and no further rule or policy processing occurs. If a client matches no policies, the authentication attempt fails and an error is returned.”

https://developer.okta.com/docs/guides/customize-authz-server/create-access-policies/

9

Hello @Govner

I added an access policies and rule to the authorization server. I am still getting a 400 error stating.

Error Code: invalid_request

Description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

I have also added all the URLS to the Login Redirect URI’s, I am still getting the error message after this.

Thank you,
Bryce

10

Hello @dragos

I am still having issues with the 400 error. Any suggestions?

11

Hi @bstrick1

Can you please copy the redirect_uri that you have set as query parameter in the link to /authorize endpoint and add it inside the OIDC app in Okta under Admin >> Applications >> OIDC app >> General >> Login Redirect URI?

12

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.