External API requests to Web Application

BirdThunderford · August 1, 2023, 12:17am

I have a use case where an external server would need to send a REST request(via Python requests) to our web app backend. I’d like to authorize access to the incoming REST call.

I was doing this to some degree with self-generated JWT tokens but given that I already have an okta resource server I was hoping to just keep it all in the same family.

Given a client id and client secret, is there a way to generate an access ID that I can confirm on our backend? Looking over the openid connect endpoints in Postman makes me think that I can get it with a refresh token and a redirect uri. Since I’m starting from a python script, I don’t exactly know how a redirect is useful and I certainly don’t have a refresh token.

Any chance someone can point me in the correct direction?

Thanks!

erik · August 1, 2023, 6:43am

Hello,

Typically for an authorization code flow where there will be a user context associated Okta recommends using a browser redirect model.

Since this is a Python script will there be a user context (user login) for these requests or will the Python process run as a service? If running as a service I would recommend doing a client credentials flow.

Thank You,

BirdThunderford · August 2, 2023, 12:27am

Hi,

Thanks for pointing me in the correct direction.

I’m now able to generate an access token, but an introspection on the token yields it as inactive.

My auth. server url looks like:

https://dev--#########..okta.com/oauth2/au##########d7

And introspection endpoint/auth methods looks like:

    "introspection_endpoint": "https://dev-#########.okta.com/oauth2/au##########d7/v1/introspect",
    "introspection_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post",
        "client_secret_jwt",
        "private_key_jwt",
        "none"

I’m providing the introspection client id/secret as basic auth from the same API I generated the access token from.
What am I missing here?

Thanks!

BirdThunderford · August 2, 2023, 7:37pm

I sorted it out. It was the correct introspection endpoint. I was passing the access token in Postman in the wrong place.

Thanks for your help!

system · August 3, 2023, 7:37pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Issues in getting the access token OAuth/OIDC	2	4344	November 14, 2018
Authorization Flow with PKCE - How to authenticate backend REST calls OAuth/OIDC	5	4313	February 8, 2024
Introspect endpoint issue: "Invalid client_id" API	4	39	October 6, 2024
We are using OKTA OpenId Connect rest API for authentication, when I call /oauth2/v1/authorize with session token, client id and other parameters I am getting html form as response with token and other response parameters as hidden fields OAuth/OIDC	4	9883	July 26, 2017
How to obtain access token for a public application API	3	19	October 25, 2024

External API requests to Web Application

Related Topics