Inline Token Hook Issue

While testing the token inline hook with Okta, it’s been observed that the original request context i.e. data.Context from original token request is not getting carry forwarded to the token inline hook request generated from the Okta. It’s intermittent behaviour i.e. sometime it passes the original request context properly but not every time. Hence, in the hook implementation, I cannot add claims based upon original incoming request from client application. Please help.

Are you able to provide the payload but omit the sensitive information? Also are you triggering the token inline hook the same way every time? For example, are you redirecting to an /authorize request or are you using a refresh token to get new tokens?

2 Likes

Thank you warren for your reply. I am using client credential flow and redirecting to /token endpoint to get new tokens. Will share both payloads here.

Request payload which is being passed to inline token hook from Okta

EventBody: {
         "eventId": "4y01a20sS9WnympX57c0Sw",
         "eventTime": "2023-02-28T11:54:34Z",
         "eventType": "com.okta.oauth2.tokens.transform",
         "eventTypeVersion": "1.0",
         "contentType": "application/json",
         "cloudEventVersion": "0.1",
         "source": "https://<Okta URL>/oauth2/<authserverid>/v1/token",
         "data": {
           "context": {
             "request": {
               "id": "Y_3rej7GFsxYYMXJ4X4VagAADZQ",
               "method": "POST",
               "url": {
                 "value": "https://<Okta URL>/oauth2/<authserverid>/v1/token**?code=8fbff074-f2ab-4706-a676-7c37dd0df214"**
               },
               "ipAddress": "**<public IP of client machine>**"
             },
             "protocol": {
               "type": "OAUTH2.0",
               "request": {
                 "scope": "SCOPE",
                 "grant_type": "client_credentials",
                 "client_id": "**<Client Id of Application>**"
               },
               "issuer": {
                 "uri": "https://<Okta URL>/oauth2/<authserverid>"
               },
               "client": {
                 "id": "**<Client Id of Application>**",
                 "name": "**<Application Name>**",
                 "type": "PUBLIC"
               }
             },
             "policy": {
               "id": "00Zho3IP8TKbgLL4gOzsd7",
               "rule": {
                 "id": "0pr7Zho3IP8TKbgLL4gOzs"
               }
             }
           },
           "access": {
             "claims": {
               "ver": 1,
               "jti": "AT.1w7fUAV_Zcs23i4i5i6i7i8ktfbCZho3IP8TKbgLL4gOzs",
               "iss": "https://<Okta URL>/oauth2/<authserverid>",
               "aud": "api://default",
               "cid": "**<Client Id of Application>**",
               "sub": "**<Client Id of Application>**"
             },
             "token": {
               "lifetime": {
                 "expiration": 3600
               }
             },
             "scopes": {
               "SCOPE": {
                 "id": "scp8749snq05WKh7CWY1d7"
               }
             }
           }
         }
       }

If the original request conext is passed properly then proper values are set else Okta sets values internally.

I hope, this will help.

From what I understand, you would make a POST request to /token for the client credentials flow.

Are you the one that’s passing the code parameter in the /token request?

1 Like

Yes, I make a POST request to /token for the client credential flow and pass code parameter in the request.

As inline token hook is configured, Okta internally makes a call to it and passes the original request context, in which this code parameter is also a part of it.

But as mentioned above, sometime Okta passes it properly and sometime not.