Importance of User-Agent and X-Forwarded-For headers in trusted application authentication

I have a requirement to authenticate users inside a back-end application. According to documentation in https://developer.okta.com/docs/reference/api/authn, it seems I should be using the trusted application authentication.

In the example given for trusted application authentication, there are headers for User-Agent and X-Forwarded-For to pass information to Okta about the end user.

From a quick test I did, it does not seem to be mandatory to have those two headers for a successful authentication. For example, the following request succeeds:

curl -X POST \
  https://mydomain.okta.com/api/v1/authn \
  -H 'Accept: application/json' \
  -H 'Authorization: SSWS MyAPIToken' \
  -H 'Content-Type: application/json' \
  -d '{
  "username": "user@example.com",
  "password" : "correcthorsebatterystaple"
}  '

(Note that I have a SSWS header but no X-Forwarded-For or User-Agent headers set in the request)

My questions are:

  1. What would be the impact of not passing through User-Agent and X-Forwarded-For headers?

  2. It is possible that Okta would start rejecting requests with high volume of authentication requests originating from my back-end application? (Legitimate volume due to multiple users trying to authenticate themselves)

According to Okta support team, these two headers only matters for matrics, but not the actual authentication function.

Hello svi,

These headers are strongly encouraged to allow security features, such as ThreatInsight and geo location policies to work correctly. Note that you will also need to list the source IP address of your application (i.e. any/all servers/instances running the application) as a proxy server in a network zone in your Okta tenant.

Aside from the security benefits, they will also make it a lot easier to troubleshoot end to end by being able to match the User-agent and IP address in your application server logs with the same identifiers in the Okta logs.

Edit: To clarify, you should copy the User-agent from the session context with the user request, and the same for the IP address to populate the X-Forwarded-For header. Putting static data in these headers provides no benefit.

1 Like