Getting 403 forbidden when hitting okta api in a docker container

I’m getting okta cookies information from okta dashboard cookies and trying to hit the https://okta_domain/api/v1/groups?limit=200&q=MERCURY-FF), to get the list of groups.

I am using: DT, JSESSION_ID, SID, and OKTA_HOST when hitting the request.

This is working fine if running as part of a standalone Python script in my local, and I also tried it in local docker and it worked fine (in local docker most of the time it worked fine but sometimes I got 403 same error).

When I tried to run same python script as part of docker container in GitHub GHCR, it’s constantly throwing 403.

resp: <Response [403]>

113res: {'errorCode': 'E0000005', 'errorSummary': 'Invalid session', 'errorLink': 'E0000005', 'errorId': 'oae26Kle0S-Twm2Oiqsrlh-7w', 'errorCauses': []}

Hello,
Authentication and Scopes:
Ensure that the authentication tokens (DT, JSESSION_ID, SID) are correctly set in your Docker environment. Double-check that they are being passed to the API request headers.
Verify that the user associated with these tokens has the necessary permissions to access the Okta API. Review the authentication and sign-on policies applied to the user.
Network Zones and IP Blocking:
Check if your Docker container’s IP address is blocked by any Network Zone rules in Okta. If so, adjust the Network Zone settings to allow requests from the container’s IP.
Also, consider any firewall rules or security groups that might be affecting outbound requests from the container.
ThreatInsight:
ThreatInsight could potentially block requests. Ensure that the user’s IP address is not flagged by ThreatInsight.
Review any threat detection settings in Okta and adjust them as needed.
GitHub Container Registry (GHCR):
Verify that the environment variables (such as OKTA_HOST) are correctly set within your GitHub Actions workflow or Docker container.
Check if there are any differences in network configuration between local Docker and GitHub GHCR. For example, GitHub might have additional security measures or restrictions.
Scope Permissions:
If you’re using Okta Workflows, make sure you’ve granted the necessary scopes. Specifically, check if the okta.logs.read scope is granted for the Okta Workflows OAuth connection1.

When making calls to our public API endpoints like /groups, you should be using an API token (either an Access Token granted by completing an OAuth flow or a static SSWS token, which we do not recommend). Using cookies to access these endpoints is NOT supported.

More info about how to get a token that can be used against Okta’s APIs can be found here: How to Integrate Postman with Okta | Okta Help Center

PS, we have a Python SDK to make this authorization and request formatting even simpler, and it supports using OAuth, so you may want to check that out: GitHub - okta/okta-sdk-python

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.