Cors error for fetching user using api/v1/users

Have added api key as authorization header, but when calling the request from angular app cors error is thrown. i have added in trusted origin too. the error for the request i get is

Kindly help me to get over this.

Thanks,
venkatesh.

You cannot call this endpoint from an Angular client since it’s not CORS-enabled. You have to use a backend framework to make this request, where no origin header is sent.

Backend framework in the sense you are saying like java ,node.

I called from my .net core backend with authorization header, but the response is like 403 forbidden.
Error response is like
{“errorCode”:“E0000005”,“errorSummary”:“Invalid session”,“errorLink”:“E0000005”,“errorId”:“oaeXDCjsTFYSMiV4Z6G8xeCHg”,“errorCauses”:}. Should i send session token with this ?
Any help would be appreciated. Thanks.

The Complete error message when calling from backend .net framework
using httpClient.
StatusCode: 403, ReasonPhrase: ‘Forbidden’, Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Date: Mon, 19 Apr 2021 01:39:20 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Public-Key-Pins-Report-Only: pin-sha256=“r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8=”; pin-sha256=“MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ=”; pin-sha256=“72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI=”; pin-sha256=“rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg=”; max-age=60; report-uri=“https://okta.report-uri.com/r/default/hpkp/reportOnly
Vary: Accept-Encoding
x-okta-request-id: YHzfSNO2nL7Znbdv75NwxwAADkU
x-xss-protection: 0
P3P: CP=“HONK”
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=315360000; includeSubDomains
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: application/json
}

You need to send a valid access token in the authorization header with your request in order get access. Or use one of our SDKs. They typically allow you to use an API key for access.

Does access token should have any specific scope or access token generated with session token itself is enough to fetch user for application. ? if i use access token generated with session token it gives 401 unauthorised error.

I believe you need to have API Access Management as a feature for this to work. If you have an authorization server under Security > API, you have it enabled. If you do have it enabled, you might need to generate your access token with scopes like openid, email, and profile.

I generated the token with same openid,email and profile and returned the access token and with the access token i used bearer authorisation and its returned 401 as error.

You’re trying to call Okta’s /api/v1/users endpoint right? Are you sending an API token issued to an admin as the authorization for this call against Okta?

Yes in postman i used api token with Authorization header it was working fine. when calling from backend(java) or from angular its throwing cors error when sending request with api token and 401 error if send request with bearer access_token.

using “Bearer {{access token}}” won’t work unless you are implementing OAuth for Okta AND have either a user with high enough permissions (an Admin user per this role chart) or a Service app requesting tokens with the correct Okta scopes (in this case, okta.users.read)

If you want to use Okta issued OAuth tokens to access Okta resources, I recommend reviewing these two guides: User-scoped tokens OR a Service app.

Note that in both cases, you MUST use the built-in Org Authorization server, discovery endpoint https://oktaDomain/.well-known/oauth-authorization-server, and not a Custom Authorization Server (such as “Default”) to mint your tokens.