Client Credentials Flow for Web API 2. Authorization Denied


#1

I have a WebAPI 2.0 Project which can be accessed by multiple clients. To enable Client Credentials Flow I added the following in Startup.cs. I have added an Authorization Server on Okta portal as well.

The values are as following:
okta:OktaDomain: https://dev-1XXXXX.oktapreview.com/
okta:ClientId:XXXXXX
okta:AuthorizationServerId: aushlxbhp0chMuit20h7

 app.UseOktaWebApi(new OktaWebApiOptions
            {
                OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
                ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
                AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
                Audience = "http://localhost:11042"
            });

I use POSTMAN to get the access token successfully with the shown settings
Capture

but when I use the Bearer token to access the API, I get the “Authorization has been denied for this request” message. What could be the possible reason?


#2

Did you configure your Okta Authorization Server with the audience of http://localhost:11042?

A couple thing that you could do to help your debugging, is decode your access token using something like: https://www.jsonwebtoken.io/
Compare the expected values from your configuration with the actual ones in the token.
Another option is to use Okta System Logs (assuming the library you are using is making remote requests)

Keep us posted!


#3

Thanks for the reply.
Yes, I had on purpose put the audience as localhost.

I realize that the code app.UseOktaWebApi(new OktaWebApiOptions results in a different and small size token but when I use the following code I was able to get the right token and access the APIs. The OKTA documentation needs to be revisited and made slightly verbose for first-time users,

var configurationManager = new ConfigurationManager(
authority + “/.well-known/openid-configuration”,
new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever());
IdentityModelEventSource.ShowPII = true;

        app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
        {
            AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidAudience = ConfigurationManager.AppSettings["okta:Audience"],
                ValidIssuer = authority,
                IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
                {
                    var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
                    return discoveryDocument.SigningKeys;
                }
            }
        });

#4

Thanks for the follow up!

cc: @nate.barbettini