Can anybody advise what the following is caused by?
{“errorCode”:“E0000015”,“errorSummary”:“You do not have permission to access the feature you are requesting”,“errorLink”:“E0000015”,“errorId”:“oae2U7V8B_aQj-RVT8Qg_AOrA”,“errorCauses”:[]}
Looking at fiddler it seems to happen when a request is made to
https://****.okta.com/oauth2/default/.well-known/openid-configuration
I don’t see a call in any of my code for this so assume it is something baked in.
Let’s step back for a second. What are you trying to do with your trial?
We have two version of trials @ Okta.
Okta IT Trial - a 30-day limited trial that has features and functionality enabled for the IT product. This is useful for people that want to evaluate Okta for employee administration use-cases. SSO, reducing help desk tickets etc.
Okta API Products Trial - a finite number of user limited trial that has features and functionality enabled for the app developer. This is useful for people building externally facing applications that need to manage their end users and build on top of OAuth 2.0 and OpenID connect.
The IT trial does not have OAuth 2.0 endpoints enabled for the app developer use cases. If you are building an employee based application on the IT Trial, you need to contact Okta at support@okta.com or get in touch with sales to have this functionality turned on.
On a separate thread, I’m going to see if we can get traction on enabling this feature on IT Trials since they are timed, I don’t see the harm.
Does the full IT solution have those features on by default or do I need to register them on our “real” account?
It matters what they bought, the pricing for the IT Product is SKU based, so it really matters.
One more question, are you attempting to protect any APIs and need an access_token or are you just interested in authenticating the user so they can SSO into Okta to access to end-user chiclet page?
Yeah that’s exactly what I’m trying to do, get my application onto that for our employees. We already have lots of other applications on there, Outlook etc.
That is the authorization server for your Okta organization. It will return an ID Token for your Okta organization. The custom authorization server /oauth2/default is used for people building non-employee applications where they need to control the access token and issuer of those tokens.
AuthorizationCodeReceived = async context =>
{
// Exchange code for access and ID tokens
var tokenClient = new TokenClient(
issuer + "/v1/token", clientId, clientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(context.ProtocolMessage.Code, redirectUri);
if (tokenResponse.IsError) // <---- error occurs here with "not found"
{
throw new Exception(tokenResponse.Error);
}
issuer is “https://{{myOktaTrialPrefix}}.okta.com/”
I just downloaded the sample MVC4 Web app from OKTA on GitHub (which is an employee login app from what i can see) and in the web.config the Authority URL does have the /oauth2/default on the end of it. So it’s hard to understand which one to use!
I’m having very similar issues. when i try hitting the challenge with the /oauth2/default on the URL i get the same error as the OP. When i remove that from the end of the authority URL I get: OpenIdConnectMessage.Error was not null, indicating an error. Error: ‘unsupported_response_type’. Error_Description (may be empty): ‘The response type is not supported by the authorization server. Configured response types: [code].’. Error_Uri (may be empty): ‘’."
At this point i’m running your sample act directly and have just changed the web.config values to match our org’s
Make sure you enable “Implicit (Hybrid)” => “ID Token” for the application in the Okta admin console. OWIN for .NET 4.x will try to use Hybrid flow and will request a response_type=id_token+code
We are just trying to authenticate users in the org and bring in their AD groups as a list of claims assigned to their user principal once logged in. It’s an ASP.NET MVC web application using .NET 4.8
We’ve tried checking both options, and just checking the ID token option and we always get the same error. See the error screenshot. We have purchased OKTA and are currently working on integration.
