We are developing an Angular app for a client, and the same code worked on our account (paid developer account on oktapreview.com), but is failing in the customer’s account.
We are using the Okta SignIn Widget and post-authentication it is redirecting to /oauth2/default/v1/authorize and failing. We are not sure if there is indeed some functionality not enabled on the customer’s account and how to confirm that, where to start from.
Any suggestions on where to loo/where to start would be greatly appreciated.
OK, changing the OktaConfig’s issuer field from XXX.okta.com/oauth2/default to XXX.okta.com fixed the issue. That was pure luck while poking around, hopefully it will be useful to someone hitting the same issue, since all samples have the oauth2 and default parts at the end of the path and no mention that that is different on okta vs oktapreview.
You are using the Okta Organization Authorization Server which will generate an Access Token that is meant for the Okta API endpoints and userInfo route (unsure if this is truely what you want to do).
The feature that the oauth2 endpoint is associated with is API Access Manager, which gives you an Authorization Server that can generate access tokens that you can use for your resource server and APIs.
If your customer has API Access Manager, their authorization server may not be created or be referenced by ID.
Let me know if you have any questions about this. We have been working hard on cleaning up the experience and there are some rough edges for existing customers. We are happy to help though!
Hi Tom,
Even I was getting an error
Identity Provider: Unknown
Error Code: server_error
Description: The requested feature is not enabled in this environment.
I removed /auth2/default from the issue url and it worked but then I am facing another issue.
with resource server
the JWT token is not getting validated it gives following error
{ [JwtParseError: Error while resolving signing key for kid "CSRVALgX1vvZlR2rsSRE2WOHCw6C2KR02AKIrmzHib4"]
name: 'JwtParseError',
userMessage: 'Error while resolving signing key for kid "CSRVALgX1vvZlR2rsSRE2WOHCw6C2KR02AKIrmzHib4"',
message: 'Error while resolving signing key for kid "CSRVALgX1vvZlR2rsSRE2WOHCw6C2KR02AKIrmzHib4"',
jwtString: 'eyJraWQiOiJDU1JWQUxnWDF2dlpsUjJyc1NSRTJXT0hDdzZDMktSMDJBS0lybXpIaWI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnV5VnpJTW1oWndYM09iMmp3bXlaY1A3X2xKdkJjMjN6MGdRdEFIQVFXejQiLCJpc3MiOiJodHRwczovL3N1cHBvcnRsb2dpYy5va3RhLmNvbSIsImF1ZCI6Imh0dHBzOi8vc3VwcG9ydGxvZ2ljLm9rdGEuY29tIiwic3ViIjoiYWJoaXNoZWtAc3VwcG9ydGxvZ2ljLmlvIiwiaWF0IjoxNTI3NTUxNzk0LCJleHAiOjE1Mjc1NTUzOTQsImNpZCI6IjBvYTE4NDF6NGx5UUp6YkNZMnA3IiwidWlkIjoiMDB1MTRkYWgyeEJUTDU0dTMycDciLCJzY3AiOlsiZW1haWwiLCJwcm9maWxlIiwib3BlbmlkIl19.W5t32DRz_5FfV-iiqJcfj6jINBALRlA_3D1K9CZx6B-kvEbyRRl4_itk3_-sCSdIBB32e52nOXhpft-uqQK5fnI_-kzoSdzuqiTJeK0eSmxWnUdwHPVqN0O3fwls_qSP-6ITyF73PHfok9YGQcjoHp9fRWbLiBI1wEG-C-JNGYSRZVfB6n2zcbJuDQa72cLJ_p-FUlE6VO6vMsKokc9d5r7mlHfD7pBnC0pLM7csmzAgrmRZf5matkXPQU1dQTLf5Vkgo3XrUqw2m1NizaCvQX6Ww0IhI5_77w7YMQea0hLjj8Tri6kIVg91G3Wx0NUN91RXJZmdGg8r02Tgm27GnQ',
parsedHeader:
JwtHeader {
typ: 'JWT',
alg: 'RS256',
kid: 'CSRVALgX1vvZlR2rsSRE2WOHCw6C2KR02AKIrmzHib4' },
parsedBody:
JwtBody {
ver: 1,
jti: 'AT.uyVzIMmhZwX3Ob2jwmyZcP7_lJvBc23z0gQtAHAQWz4',
iss: 'https://xxx.okta.com',
aud: 'https://xxx.okta.com',
sub: 'abhishek@xxx.xx',
iat: 1527551794,
exp: 1527555394,
cid: '0oa1841z4lyQJzbCY2p7',
uid: '00u14dah2xBTL54u32p7',
scp: [ 'email', 'profile', 'openid' ] },
innerError:
{ JwksError: [object Object]
at Request._callback (/Users/abhishek/Projects/tmp/passport-test-server/node_modules/jwks-rsa/lib/JwksClient.js:88:23)
at Request.self.callback (/Users/abhishek/Projects/tmp/passport-test-server/node_modules/request/request.js:185:22)
at Request.emit (events.js:160:13)
at Request.<anonymous> (/Users/abhishek/Projects/tmp/passport-test-server/node_modules/request/request.js:1157:10)
at Request.emit (events.js:160:13)
at IncomingMessage.<anonymous> (/Users/abhishek/Projects/tmp/passport-test-server/node_modules/request/request.js:1079:12)
at Object.onceWrapper (events.js:255:19)
at IncomingMessage.emit (events.js:165:20)
at endReadableNT (_stream_readable.js:1101:12)
at process._tickCallback (internal/process/next_tick.js:152:19)
name: 'JwksError',
message:
{ errorCode: 'E0000006',
errorSummary: 'You do not have permission to perform the requested action',
errorLink: 'E0000006',
errorId: 'oae1YonRVtZTfeVLP3CYGtvfw',
errorCauses: [] } } }
@tom we have an Angular SPA that uses an OIDC flow with Okta, and I am running into this same error. I don’t quite understand your reply. Are you saying that without the feature “API Access Manager”, we CANNOT implement an OIDC flow at all? Or are you saying that it just has to be done a different way?
I am trying to migrate an app from a Developer Edition of Okta to a corporate instance that has been around for ~4 years. The corporate instance does NOT have API Access Manager enabled.
I can create the OIDC app just like it exists in the Developer Edition account, with the exception of the authorization server piece of the config (available in the “Security -> API” section of the Admin console).
The app does not really need to use the authorization server feature, so I am trying to investigate how to configure this app and just do a basic OIDC flow, but I keep getting the error mentioned in this forum post.
The thing I don’t understand is… why would our corporate Okta instance let us create an OIDC app if there is no way to actually use it without the “API Access Manager” feature being enabled?
tldr; What helped me was removing the “default” part of the URL (which is only used with API Access Management, an additional paid feature). Removing that reference routes your request to the default auth server (IRONICALLY). I hope this helps, as I spent a bunch of time trying to figure it out!
Thanks for posting! This works, it turns out different customer instances either require or forbid the “/oauth2” and/or the “/default” parts of the path.