Google Cloud Endpoints - Use a PCKE generated Access Token

We’ve build an Authorization Component (.net core) that authenticates users through Okta, using the PKCE flow.

All other components (.net core) are secured using Okta.AspNetCore.

In a nutshell, the Authorization Component implements the PKCE flow, and generates an Access Token that is used by the other components, by using the Okta.AspNetCore middleware.

We are now moving the components to Google Cloud, and we will be using Cloud Endpoints for security.

Cloud Endpoints already has an integration with Okta, detailed here .
Okta also provides a detailed guide here.

According to the guide, after configuring Okta, the component OpenAPI specification will need the following configuration:

      securityDefinitions:
        okta_jwt:
          authorizationUrl: ""
          flow: "implicit"
          type: "oauth2"
          x-google-issuer: "https://YOUR_OKTA_TENANT_NAME.com"
          x-google-jwks_uri: "https://YOUR_OKTA_TENANT_NAME.com/oauth2/v1/keys"
          x-google-audiences: "YOUR_OKTA_CLIENT_ID"

As can be seen, this seems to indicate that the integration between Okta and Cloud Endpoints is based on the Implicit flow.

After everything is configured, the Endpoints can be access adding the Access Token generated by the Implicit flow:

"${ENDPOINTS_HOST}/echo?access_token=${TOKEN}"

For some reason, the Access Token that is created by our component, does not work with the above configuration.

I would like to ask if there is a way to use the Access Token generated by the PKCE flow, with Google Cloud endpoints.

Thank you!

Are you getting an error back when you send that access token in your request?

Most likely the issue is due to the resource server not being able to validate the access token as you are using the Org Authorization Server, which is unable to be used for OAuth use case, as discussed in this article.

If your org has the feature/SKU required to use a custom authorization server (if you’re an admin, this would mean you can navigate to the following menu Admin Console → Security → API → Authorization Servers), you can try changing the issuer, jwks, and audience in your configuration to see if a custom authorization server works instead.

1 Like

@andreaskouras,

thank you very much for your reply.

The problem was on my end, as i didn’t configured the okta_jwt section correctly.
In order to detect the problem i used https://jwt.io to verify the information from the generated token.

The key was to configure the okta_jwt section with the same information (issuer and audience) as the Okta API server that we are using to generate the token (we are using the Default server):

Based n the above, the correct configuration is:

  okta_jwt:
    authorizationUrl: ''
    flow: implicit
    type: oauth2
    x-google-issuer: https://YOUR_OKTA_TENANT_NAME.okta.com/oauth2/default
    x-google-jwks_uri: https://YOUR_OKTA_TENANT_NAME.okta.com/oauth2/default/v1/keys
    x-google-audiences: api://default
1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.