Have added api key as authorization header, but when calling the request from angular app cors error is thrown. i have added in trusted origin too. the error for the request i get is
Kindly help me to get over this.
Thanks,
venkatesh.
You cannot call this endpoint from an Angular client since it’s not CORS-enabled. You have to use a backend framework to make this request, where no origin header is sent.
Backend framework in the sense you are saying like java ,node.
I called from my .net core backend with authorization header, but the response is like 403 forbidden.
Error response is like
{“errorCode”:“E0000005”,“errorSummary”:“Invalid session”,“errorLink”:“E0000005”,“errorId”:“oaeXDCjsTFYSMiV4Z6G8xeCHg”,“errorCauses”:}. Should i send session token with this ?
Any help would be appreciated. Thanks.
The Complete error message when calling from backend .net framework
using httpClient.
StatusCode: 403, ReasonPhrase: ‘Forbidden’, Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Date: Mon, 19 Apr 2021 01:39:20 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Public-Key-Pins-Report-Only: pin-sha256=“r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8=”; pin-sha256=“MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ=”; pin-sha256=“72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI=”; pin-sha256=“rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg=”; max-age=60; report-uri=“https://okta.report-uri.com/r/default/hpkp/reportOnly”
Vary: Accept-Encoding
x-okta-request-id: YHzfSNO2nL7Znbdv75NwxwAADkU
x-xss-protection: 0
P3P: CP=“HONK”
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=315360000; includeSubDomains
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: application/json
}
You need to send a valid access token in the authorization header with your request in order get access. Or use one of our SDKs. They typically allow you to use an API key for access.
Does access token should have any specific scope or access token generated with session token itself is enough to fetch user for application. ? if i use access token generated with session token it gives 401 unauthorised error.
I believe you need to have API Access Management as a feature for this to work. If you have an authorization server under Security > API, you have it enabled. If you do have it enabled, you might need to generate your access token with scopes like openid, email, and profile.
I generated the token with same openid,email and profile and returned the access token and with the access token i used bearer authorisation and its returned 401 as error.
You’re trying to call Okta’s /api/v1/users endpoint right? Are you sending an API token issued to an admin as the authorization for this call against Okta?
Yes in postman i used api token with Authorization header it was working fine. when calling from backend(java) or from angular its throwing cors error when sending request with api token and 401 error if send request with bearer access_token.
using “Bearer {{access token}}” won’t work unless you are implementing OAuth for Okta AND have either a user with high enough permissions (an Admin user per this role chart) or a Service app requesting tokens with the correct Okta scopes (in this case, okta.users.read)
If you want to use Okta issued OAuth tokens to access Okta resources, I recommend reviewing these two guides: User-scoped tokens OR a Service app.
Note that in both cases, you MUST use the built-in Org Authorization server, discovery endpoint https://oktaDomain/.well-known/oauth-authorization-server, and not a Custom Authorization Server (such as “Default”) to mint your tokens.
I have similar issue with api/v1/users
I am tryingg to create a user (POST request), I have trusted origin as localhost:4200 specified in settings for my custom domain but it sill failing with CORS error
I am trying to call this code myself, without OKTA’s widget.
Should I do anything else?
How are you authorizing the call to api/v1/users, api/v1/users/{userId}, or api/v1/users/me? Only endpoints that have a CORS tag under them in our API docs are CORS enabled, and api/v1/users (without a userId or me) is NOT a CORS enabled endpoint so you cannot make a List Users request from the front-end.
Obviously not as I am trying to register user via Okta endpoint.
Why OIDC endpoints are not marked with this sign but available for CORS?
Is there any way to make user registration available via frontend, without any backend?
I tried to run Okta sample and I see a lot of endpoints used by Okta widget which are missing in documentation
POST https://{CUSTOM_DOIMAIN}/api/v1/registration/reg19dz0r3BzH8PPa4x7/register
POST https://{CUSTOM_DOIMAIN}/api/v1/authn
POST https://{CUSTOM_DOIMAIN}/user/welcome/login/internal
POST https://{CUSTOM_DOIMAIN}/security/xsrf-token
POST https://{CUSTOM_DOIMAIN}/user/security_fields
Is this registration process documented anywhere?
There are no publicly documented endpoints for Self-Service Registration in an Okta Classic org and we are moving to a new model for this use case in the Okta Identity Engine platform.
Several of the other routes you note remain undocumented as they are only available/used internally by the Okta-hosted login page. If you are unable to find documentation about a given API endpoint, then we do not support developers interacting with it directly.
I should note that /authn IS a documented endpoint and would be use to log a user in if making a custom login page.
AuthN isn’t like for anonymous user, but it’s a problem that you don’t document this endpoints for some reasons.
I just don’t want to make registration on backend site - with okta API token - as I just want to hit auth server even when my backend is down.
New model doesn’t contain samples for browser, are you aware of any possible changes in future for the new model with browser?
I just want to use either password/webauthn approach without any custom okta widgets
At this time I do not, no, I have not heard of any support for user enrollment without a backend.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.