OKTA event hook failing for POST request after successful verification is performed by sharing the { “verification” : “value_from_header” } in the GET request.
The URL is in the power automate. GET request is successful and when a actual user is added the POST request fails with “Event hook delivery failed-401 unauthorized from POST”
When the hook has a test payload to send to the URL that POST request is successful too. But when the actual event happens user adding or removed the event hook delivery fails.
Tried with Postman to test the URL and works absolutely file for both GET and POST.
Hello,
First, let’s address the verification process. When you register an event hook, Okta sends a one-time GET verification request to your endpoint, passing a verification value. Your service needs to send back this verification value to confirm that you control the endpoint1. Since your GET request is successful, it seems the verification process is working as expected.
Now, let’s focus on the POST request. The fact that it works with a test payload but fails during actual events suggests that there might be a difference in how the requests are handled. Here are a few steps to consider:
Authentication and Authorization:
Ensure that your endpoint handles authentication correctly. The 401 unauthorized error indicates an authentication issue. Double-check the authentication method (e.g., API key, OAuth token) used in your POST request.
Verify that the user context (added or removed) doesn’t affect the authorization process. Sometimes, different user contexts may have different permissions.
Best Regards
davidbland889
Exactly again confirming to what you said the one time GET works with right value exchange and handshake , I don’t understand what is the difference from a test post request to the actual event post because the former passed and the later fails.
The webhook is hosted in Microsoft power automate. The webhook itself has a SAS token which is used while sending a post request, how else do we handle the authentication?
When the event is created in the OKTA is there an explicit step that needs to be performed for authentication specific?