Java User API GET Returning 401 Unauthorized

aelkman · December 20, 2022, 8:57pm

Hello, I have set up Spring Boot security with OAuth 2 using JWT and it works fine. The requests are Secured and validated through my console.

However, I want to use the Users API to get the current user’s Firstname & Lastname so that we can autopopulate the internal Users table data on our private DB. Users | Okta Developer

It says here to use header:
-H "Authorization: SSWS ${api_token}" \

But that is not working with our Jwt token, I have also tried setting as Bearer:

		String oktaUserUrl = "https://myauth-dev.ice.gov/api/v1/users/me";
		Map<String, String> map;
		Jwt credential = (Jwt) SecurityContextHolder.getContext().getAuthentication().getCredentials();

		try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
			ObjectMapper mapper = new ObjectMapper();

			HttpGet request = new HttpGet(oktaUserUrl);
			request.addHeader(HttpHeaders.ACCEPT, "application/json");
			request.addHeader(HttpHeaders.CONTENT_TYPE, "application/json");
			request.addHeader(HttpHeaders.AUTHORIZATION,
					"Bearer " + credential);
			HttpResponse result = httpClient.execute(request);
			String json = EntityUtils.toString(result.getEntity(), "UTF-8");

			map = mapper.readValue(json, Map.class);
			httpClient.close();

		} catch (IOException ex) {
		}

The credential object looks correct when I inspect the values, there is nothing to indicate any problem with the token data at all. The sub email is there, the tokenValue is there… it all looks good.

Yet, I keep getting a 401 error saying Unauthorized Access… I tried the url https://myauth-dev.ice.gov/api/v1/users/me and get the valid results in browser when I am logged in.

Can you please advice as to what settings I need to configure my HttpClient to get this to work? Is it possible this needs to be added into the Okta Admin Console for our internal application as well?

erik · December 20, 2022, 11:09pm

Hello @aelkman,

With Okta classic Orgs if you wanted to use a bearer token then is needed to be populated with the correct Okta scopes (ie okta.users.read.self). Only the Okta Org Authorization Server could mint tokens with these scopes, custom authorization servers could not.

With OIE Orgs you should be using the MyAccountAPI which can have tokens minted from custom authorization servers as well as the Org authorization server with the needed scopes.

Thank You,

aelkman · December 21, 2022, 12:28am

Hello @erik I see nothing about user’s firstname or lastname in the link you provided.

Are you telling me there is no way of retrieving this information with a regular Jwt bearer token?

If that is the case, then what is the solution for my project?

erik · December 21, 2022, 12:50am

Hello @aelkman,

If you are using a custom authorization server the easiest way would be too map any custom claims you need to either the access or id token. That way you wouldn’t need to make an extra call.

If you do use the MyAccountAPI the getMyUserProfile will return first/last name plus their entire Okta user profile.

{
  "createdAt": "2022-04-06T21:04:54.000Z",
  "modifiedAt": "2022-12-19T06:34:32.000Z",
  "profile": {
    ...
    "lastName": "West",
    "preferredLanguage": null,
    ...
    "login": "kay.west@oktaice.com",
    ...
    "firstName": "Kay",
  },

You could also call /userinfo with the access_token to get their full claims and would not require requesting any extra scopes.

{
  "sub": "00u3ewy1nn8VRu8Qs1d7",
  "name": "Kay West",
  ...
  "preferred_username": "kay.west@oktaice.com",
  "given_name": "Kay",
  "family_name": "West",
  ...
}

Thank You

aelkman · December 21, 2022, 1:16am

Ok I’ll give those a shot, thanks.