OIDC integration returns 403 on okta preview instance

Hello everyone,

I’ve developed a custom OKTA integration for the company i work for.
Our customer has created an OIDC → Web application integration and they shared with us their client_id and their client_secret. The flow is type of authorization_code.

We do initialize the oauth2 flow by calling the /authorize endpoint with the required parameters. (we use basic auth in order to authorize in this endpoint as specified in your documentation).

The okta sign in modal pop up, they sign in and we get a response back with the code.

We do use that code in our next API call in the /token endpoint in order to retrieve an access_token.
The response of the /token endpoint is a 403 - Forbidden for some reason that i cannot really understand as the flow works as expected in my personal okta application if i run the exact same flow (i get back a valid access token). The same flow works also for an another customer of ours and it works as expected.

The response we get back is:

{'errorCode': 'E0000006', 'errorSummary': 'You do not have permission to perform the requested action', 'errorLink': 'E0000006', 'errorId': 'oaeDvl84G5JSm-sMp_r7UXyig', 'errorCauses': []}

The customer with the issue uses an okta preview sandbox instance if that makes any difference.

Thank’s in advance.

Hi @xarhsasimakopoulos if the app using a client_id and secret this is the client credentials flow and not the authorization code flow.

If you do want to use auth code flow:
Call /authorize with the scopes you want
Login at the screen
Get the authorization code response and send to the /token endpoint to swap for an access token.

Reasons for 403 can be client side (e.g. improperly formed requests) or server side (the client_id they specified isn’t in an access policy allowing access, your user isn’t assigned to the app).

Good luck.

1 Like

Thank’s for your reply!

The application is type of: OIDC → Web Application.
This produces a general tab as shown in the screenshot, which i have checked the authorization code flow which i assume this makes the flow to be an authorization code grant flow.

The flow is exactly what you described, though at the very last step when we enchange the code for an access_token, we receive the posted error.
The user is assigned to the application, but i am not sure about the access policies.
The customer that faces the issue, under the Sign on tab, doesn’t have a Sign On Policy option like mine as shown in the screenshot:
Though, he informed me that they did the migration to an Okta Identify Engine that changed the way that sign on policies adapt to an application. (Not realy sure what’s this actually mean).

  • Do you believe that migration to Okta identity Engine would cause any issue in our case?
  • Can i guide our customer somehow to check if that is a sign on policy problem?

Any help is appreciated.

What are the exact endpoints you are using for the /authorize and /token requests? More importantly, are you using the same issuer in both requests?

For example, if I were to use the Org Authorization Server on a test org with the subdomain example123, I would start the Authorization Code flow off by making a request to https://example123.okta.com/oauth2/v1/authorize and then take the authorization code I received and send it to https://example123.okta.com/oauth2/v1/token.

My guess is that you may be inadvertently trying to use a Custom Authorization Server in your /token request, as discussed in this article: “You do not have permission to access the feature you are requesting” | Okta Help Center

The other things to check could be:
Aauthentication settings for your app. You should have client authentication = None if this is is a SPA accessing
Is there an access policy allowing your app / users access.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.