Okta Users API and Authorization Code Flow

Our use case involves managing users in our Okta domain via the Users API.

We are developing this with Authorization Code Flow. The frontend passes the Jwt to our Spring Boot app, and this latter will make the request to the Users API with the Jwt token in the header.

I am currently facing the following issue. My Spring Security context refuses an Jwt whose issuer is not https://${okta.domain-name}/oauth2/default. So fine, I generate a Jwt with an issuer of https://${okta.domain-name}/oauth2/default just as they did here Get Access token with Postman - invalid algorithm - #5 by Vladimir. It means that I am now using the default custom authorization server, which is not my intention. Moreover, the User API rejects the request subsequently with a 401 Unauthorised error. I can’t tell why exactly. I guess it’s got to do with the scopes. The users Api would need the ‘users.manage’ scope whereas the custom authorization server has ‘openid’ and ‘profile’ scopes. Custom Authorization Servers do not mint access tokens with Okta API Scopes → Authorization Servers | Okta Developer

“Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains.” - from the link above
“You can’t mix tokens between different authorization servers. By design, authorization servers don’t have trust relationships with each other.” - from the link above. The access token generated by the custom authorisation server will not be compatible with the Okta org authorisation server it seems to me.

How could I use the Okta Org Authorization Server instead? It suits perfectly my needs as I do need to validate the Jwt. I’ll leave that to Okta.

Hi @magyard! It looks like you are setting up OAuth for Okta Overview | Okta Developer. Can you confirm your frontend app is requesting an access token from your Okta Org Authz Server - Authorization Servers | Okta Developer?

Hi sigama,

Thanks for your reply. The frontend requests and receives a JWT indeed from the Okta Org Authorization Server.

I have actually managed to solve this issue in the meantime. The key was that the JWT must be passed along to the Okta Users API without a JwtDecoder being configured in the security context. This means that http.oauth2ResourceServer().jwt(); in the config file and spring.security.oauth2.resourceserver.jwt.issuer-uri in the properties file must not be defined. They must not be provided because the security context does not have to be aware of the Jwt as I am not validating it.

All the validation is done by the Okta Users API.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.