Roles Bases Authorization not working : Bearer forbidden

I have a .net core 3.0 application that consumes a bearer token that I am currently providing via postman call.

In my developer okta account I have setup a group named : xyz (By going under Users → Groups).
Then in my authorization Servers : under the default server I added a claim as explained in the video :

[ Use the Built-In ASP.NET Core 3.0 OIDC Middleware with Okta]
(Use the Built-In ASP.NET Core 3.0 OIDC Middleware with Okta - YouTube)

In my net core application :
in my startup.cs

  services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            })
             .AddJwtBearer(options =>
             {
                 options.Authority = "https://dev-75725943.okta.com/oauth2/default";
                 options.Audience = "api://default";
                 options.RequireHttpsMetadata = false;
                 options.TokenValidationParameters.NameClaimType = "name";
                 options.TokenValidationParameters.RoleClaimType = "groups";
             });

In my controller endpoint :
(Below is a part of code : shows Authorize)

 [HttpGet]
        [ProducesResponseType(typeof(IEnumerable<DeviceTypeStatusCnt>), (int)HttpStatusCode.OK)]
        [Authorize(Roles = "xyz")]
        public async Task<IActionResult> GetDeviceModelsAsync()
        {

Now in postman :
The api works just fine with [Authorize] but the bearer token does not work with
[Authorize(Roles=“xyz”)]
and gives the follwoing stacktrace (part of the whole stacktrace):

Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: Successfully validated the token.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed.
Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler: Information: AuthenticationScheme: Bearer was forbidden.
Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished in 54.4103ms 403

Not sure what is wrong?

Hi @questOkta,

I hope the user is assigned to the group ?

Is it possible for you to decode the id token to check if you are getting the groups claim ?

You could also use the Token Preview tab of the authorization server and check if the groups claim is present in the token.

@gpadma Went through some documentation seems that I am using application with granttype as Client Credentials, which in Okta seems to not support groups (Don’t know why? ).

Then I created a new application as SPA with a grantype AuthorizationCode with Pkce. Now I am trying to configure my postman to get the bearer token but it won’t get it and the callback fails is my understanding :

Below are details from Okta application:

Below is the Postman configuration (This does not work)


The error received in the postman console is : Error: [object Object]

Note the okta application seems to be configured correctly as it works with the Angular UI. Below are the settings used in Angular to get the token : (This works)

What maybe wrong in the postman settings for receiving the token

@questOkta Client credentials flow is recommended for server side client applications with no end user, Hence you may not be getting groups claim in client credentials flow.

For the help with postman, could you create a Support case with Okta to have someone assist you ?