I have a working Angular 5 application, using the Okta login container (widget). My application makes calls to a backend API. All of this is working.
I want to make API calls using Postman. I am able to make the authentication calls to Okta and get back an id_token from within Postman. However, when I try to use the token in the call to the API, I get JWT validation errors.
Here are my steps:
I make a call to api/v1/authn to get a sessionToken.
I then supply the session token, and my credentials, in a call to oauth2/default/v1/authorize
This call returns a token in the data.id_token field.
I supply the token (cut and paste within Postman) to a call to my API backend, using Authorization BearerToken, passing the token.
This is the same process I use in my app, but as I said, it isn’t working. I am noticing that in the display of the token in Postman (in the response to the oauth2/default/v1/authorize call) there appear to be escaped characters. In the token I see “\x2D” - this seems to be the cause of my problems.
This may be more of a Postman issue, but I’d thought I’d ask here in case someone is familiar with it. Is there a difference in the return value when the authorize call is made in Postman instead of the Okta widget? Is there a parameter that needs to be set/changed?
I believe the issue is Id Token instead of Access Token was passed as bearer token to API, and the validation logic (middleware) at the API rejects Id Token.
My understanding is OIDC introduced Id Token as proof of identity (authentication), but Id Token is not designed to be passed to API as bearer token, which gives the client access to the requested resources (authorization). The OIDC spec does not seem to have clear statements about the usages of Id Token vs Access Token. There are confusions and debates on this subject, for example:
@jliu is correct (and as usual, Brock and the IdentityServer folks provide great info). You should be sending an access token to your API backend, not an ID token.
Are you using Postman to make test API calls while you are doing development? You can get an access token through Postman, but it’s a little awkward. I built a simple tool that makes this easier: https://oidcdebugger.com
If you (temporarily) configure your application to allow a redirect URI of https://oidcdebugger.com/debug and enable the implicit flow, you can get an access token using my debugger tool and then use it to make API calls with Postman.
I now have it working, but I don’t understand why, since it doesn’t seem to match with what I’ve read from your replies.
I am still using the id_token from my response. I changed the response_mode from okta_post_message to form_post, and the token that is returned no longer is escaped. If I pass this token to my API, it works.
I was only retrieving the id_token. I modified the call to return the access token (token) as well, but if I pass the access token to my API it is rejected.
My backend is Java, and I’m using the Okta JwtVerifier.decodeAccessToken() method. However, as I said, it seems to only succeed when I pass the id_token.