Okta returning 401 when configured with user-info endpoint

pradeepkumarl · December 16, 2021, 2:33pm

I am integrating okta with Spring boot application to build a oauth2 client application.
I have configured the application configuration as below

server:
  port: 8555

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: masked
            client-secret: masked
        provider:
          okta:
            authorization-uri: https://dev-7858070.okta.com/oauth2/default/v1/authorize
            token-uri: https://dev-7858070.okta.com/oauth2/default/v1/token
            user-info-uri: https://dev-7858070.okta.com/oauth2/v1/userinfo
            jwk-set-uri: https://dev-7858070.okta.com/oauth2/default/v1/keys

The app is working fine if I do not configure the user-info-uri but when I configure the user-info-uri, the application automatically tries to hit the userinfo endpoint with a HTTP GET passing the access token. But the okta app is returning a 401 error stating invalid token.

Below is the log

    : Reading to [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] as "application/json;charset=UTF-8"
2021-12-16 19:42:40.180 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : HTTP GET https://dev-7858070.okta.com/oauth2/default/v1/keys
2021-12-16 19:42:40.180 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : Accept=[text/plain, application/json, application/*+json, */*]
2021-12-16 19:42:40.757 DEBUG 11880 --- [nio-8555-exec-3] jdk.event.security                       : ValidationChain: 1341898239, 128597027, -1751274746
2021-12-16 19:42:41.032 DEBUG 11880 --- [nio-8555-exec-3] jdk.event.security                       :  TLSHandshake: dev-7858070.okta.com:443, TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -1751274746
2021-12-16 19:42:41.033 DEBUG 11880 --- [nio-8555-exec-3] s.n.www.protocol.http.HttpURLConnection  : sun.net.www.MessageHeader@6172186f5 pairs: {GET /oauth2/default/v1/keys HTTP/1.1: null}{Accept: application/json, application/jwk-set+json}{User-Agent: Java/11.0.7}{Host: dev-7858070.okta.com}{Connection: keep-alive}
2021-12-16 19:42:41.493 DEBUG 11880 --- [nio-8555-exec-3] s.n.www.protocol.http.HttpURLConnection  : sun.net.www.MessageHeader@5920bb2c17 pairs: {null: HTTP/1.1 200 OK}{Date: Thu, 16 Dec 2021 14:12:41 GMT}{Content-Type: application/json}{Transfer-Encoding: chunked}{Connection: keep-alive}{Server: nginx}{Public-Key-Pins-Report-Only: pin-sha256="r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly"}{x-xss-protection: 0}{p3p: CP="HONK"}{content-security-policy: default-src 'self' dev-7858070.okta.com *.oktacdn.com; connect-src 'self' dev-7858070.okta.com dev-7858070-admin.okta.com *.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com https://oinmanager.okta.com data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' dev-7858070.okta.com *.oktacdn.com; style-src 'unsafe-inline' 'self' dev-7858070.okta.com *.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' dev-7858070.okta.com dev-7858070-admin.okta.com login.okta.com; img-src 'self' dev-7858070.okta.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data: blob:; font-src 'self' dev-7858070.okta.com data: *.oktacdn.com fonts.gstatic.com}{expect-ct: report-uri="https://oktaexpectct.report-uri.com/r/t/ct/reportOnly", max-age=0}{cache-control: max-age=5751840, must-revalidate}{expires: Mon, 21 Feb 2022 03:56:41 GMT}{vary: Origin}{x-content-type-options: nosniff}{Strict-Transport-Security: max-age=315360000; includeSubDomains}{X-Okta-Request-Id: YbtJWMz4hSJnMbK89S9YAAAABd8}
2021-12-16 19:42:41.493 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : Response 200 OK
2021-12-16 19:42:41.493 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : Reading to [java.lang.String] as "application/json"
2021-12-16 19:42:41.502 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : HTTP GET https://dev-7858070.okta.com/oauth2/v1/userinfo
2021-12-16 19:42:41.503 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : Accept=[application/json, application/*+json]
2021-12-16 19:42:41.503 DEBUG 11880 --- [nio-8555-exec-3] s.n.www.protocol.http.HttpURLConnection  : sun.net.www.MessageHeader@3bdc7ab6 pairs: {GET /oauth2/v1/userinfo HTTP/1.1: null}{Accept: application/json}{Authorization: Bearer eyJraWQiOiJ3Wi0tT29HeTlURnFReVlfN1hPXzgzdnlmYlE3LWtuYUFIOUQ3MmN5S0F3IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlkzSldCaVMxUDYxeXR1ekZtUjUxMDlCRVM5MThKRWUwcTNkbFItSTlrWG8iLCJpc3MiOiJodHRwczovL2Rldi03ODU4MDcwLm9rdGEuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTYzOTY2Mzk1OSwiZXhwIjoxNjM5NjkzOTU5LCJjaWQiOiIwb2EzYzk3dDFtaVBUa0pqVjVkNyIsInVpZCI6IjAwdTNteXk1c09sOVNEYnYzNWQ2Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCJdLCJzdWIiOiJwcmFkZWVwLmt1bWFyNDRAZ21haWwuY29tIiwiZ3JvdXBzIjpbIkV2ZXJ5b25lIiwic3VwZXJfYWRtaW5zIiwiYWRtaW5zIl19.PWdjnf4WCOpCCn84U-v3V8cdgVferDihMq5BYPcOlYR3yQbLHUdeHvXus22r_sre0mVJVbEQycF8z0fpkuAgOXLh-8KEEWj6WuEisvzW6dE9xwULODzZS5gE9ntolwcqix64DWX0BegFK1_WdZhRTTyM07RVdR2XFBq7POdiDb2Vkk9_dfc7--n3ax2eFFnsWaj3nXV95mRQD-xD_0MG-2k9JpzdpbS6M6KJ1egtu9fBCwD8U-bsFQbDe4LL58RGSeLvpAIqJochUhzS1cSl4_UNUwgS9l7V-MHDzt_53_BAyGRM2WiqnWmeG43sgXroRj2KQiRkX0XSHn268WnJiw}{User-Agent: Java/11.0.7}{Host: dev-7858070.okta.com}{Connection: keep-alive}
2021-12-16 19:42:42.008 DEBUG 11880 --- [nio-8555-exec-3] 
s.n.www.protocol.http.HttpURLConnection  : sun.net.www.MessageHeader@3b99722114 pairs: {null: HTTP/1.1 401 Unauthorized}{Date: Thu, 16 Dec 2021 14:12:41 GMT}{Content-Length: 0}{Connection: keep-alive}{Server: nginx}{Public-Key-Pins-Report-Only: pin-sha256="r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly"}{x-okta-request-id: YbtJWdz9vdX0rhB3Ae0VzAAADGc}{x-xss-protection: 0}{p3p: CP="HONK"}{access-control-expose-headers: WWW-Authenticate}{www-authenticate: Bearer authorization_uri="http://dev-7858070.okta.com/oauth2/v1/authorize", realm="http://dev-7858070.okta.com", scope="openid", error="invalid_token", error_description="The access token is invalid.", resource="/oauth2/v1/userinfo"}{content-language: en}{Strict-Transport-Security: max-age=315360000; includeSubDomains}{set-cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/}
2021-12-16 19:42:42.011 DEBUG 11880 --- [nio-8555-exec-3] o.s.web.client.RestTemplate              : Response 401 UNAUTHORIZED

2021-12-16 19:42:42.014 DEBUG 11880 --- [nio-8555-exec-3] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException
2021-12-16 19:42:42.014 DEBUG 11880 --- [nio-8555-exec-3] o.s.s.web.DefaultRedirectStrategy        : Redirecting to /login?error
2021-12-16 19:42:42.014 DEBUG 11880 --- [nio-8555-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2021-12-16 19:42:42.015 DEBUG 11880 --- [nio-8555-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2021-12-16 19:42:42.015 DEBUG 11880 --- [nio-8555-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

Please let me know, where am I going wrong?

andrea · December 16, 2021, 8:27pm

Your userinfo endpoint isn’t right, based on the rest of your config. If you are using the ‘Default’ authorization server to issue the token (as in the token-uri and the authorization-uri), then the correct user-info-uri will be https://dev-7858070.okta.com/oauth2/default/v1/userinfo

See Authorization Servers | Okta Developer for reference.

system · December 17, 2021, 8:27pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.