I’m seeing a strange behavior that I cannot explain. Our product connects to our customers’ Okta account via the API using the Okta auth token. One of the ways we verify this connection is by calling the following two API calls:
Make a call to /users/me to get the user ID, and
Call /users/${userId}/roles to get the list of their roles.
The problem is that when I call /users/me I get one of two IDs for that token. I’ve tried that call via our application, curl, Postman, etc and intermittently I will get a different ID. So far the ID returned is one of two, but how is it possible to get two IDs for the same token when calling /users/me? Should that token only send the ID of the user that created the token? And if this is normal behavior, under what condition would that call send a different user ID?
Fetches the current user linked to API token or session cookie
Any chance when you’re calling from your application that you are calling from the front-end/browser? I believe Okta will ignore the API token (which, if you’re sending that in the browser - don’t) and use the session cookie instead. So I could envision a scenario where you are logged in with a user and get different results calling /users/me from a front end application vs. a backend curl/Postman call.
This is a customer’s Okta account so I don’t have access to their portal.
All of my verifications have been done with curl, Postman, and a custom backend Golang application using simple HTTP/HTTPS library to verify and they’ve confirmed that I’m seeing intermittent changes to the ID being returned.
There does not appear to be any pattern - in one case I made the API call using curl and Postman one right after the other (using the same auth token) and I got two separate IDs.