The token provided has insufficient scope [bonus_api] for this request

Hi all,

I am trying to get a token from okta with client credentials and trying to validate that token in java application.

I created a web application on okta.

Screenshot 2019-05-23 at 11.44.41.png718×512 24.1 KB

Screenshot 2019-05-23 at 11.45.02.png715×311 11.2 KB

I created a custom scope.

Screenshot 2019-05-23 at 11.45.40.png1023×191 7.4 KB

I got a token with Postman with client credentials.

Screenshot 2019-05-23 at 11.50.12.png1600×490 83.2 KB

But when I try to validate that token in java I get this error.
Code : 403
www-authenticate: Bearer error=“insufficient_scope”, error_description=“The token provided has insufficient scope [bonus_api] for this request”, error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1”, scope=“bonus_api”

Here is my java configuration.

okta:
  oauth2:
    grantType: client_credentials
    issuer: https://dev-xxxxx.okta.com/oauth2/default
    clientId: 0oah1zm05Y7BinmIS356
    clientSecret: xxxxxxxxxxxxx
    rolesClaim: groups
    scope: bonus_api

My pom.xml

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>1.2.0</version>
</dependency>

What can be the problem? Is my java configuration wrong?

Thanks in advance.

Any difference if you also include openid scope:

scope: openid bonus_api

Unfortunately no difference

What are the required scopes in your access policy? That may be where validation is failing.

It was my mistake. In SecurityConfig I was trying to check If token had a particular role, group etc.

http.csrf().disable().authorizeRequests()
                    .antMatchers(HttpMethod.POST,"/api/xxxx").hasAuthority(ADMIN_AUTHORITY)
                    .anyRequest().permitAll()
                    .and()
                    .oauth2ResourceServer().jwt();

But when I got token with client credentials there was no role, group etc.

So I changed my code like this and it worked.

http.csrf().disable().authorizeRequests()
                        .antMatchers(HttpMethod.POST,"/api/xxxx").authenticated()
                        .anyRequest().permitAll()
                        .and()
                        .oauth2ResourceServer().jwt();

Hello Cemil, i’m trying without succes with postam to get a token with postman with client credentials flow.

can explain in details how did you do this please ?

I got in body urlencoded : grant_type : client_credentials, scope: goodone
headers : Accept : application/json
Authorization : with my clientid:client_secret encode as base64 and
i tried all without succes

and got this error…

image955×401 20.2 KB

And if i use like this :

image1068×516 37.3 KB

i got this error :o

If you can help me , thank you !

Perhaps try what is recommended here - For Postman in particular, it sounds like you will want to enter in your client_id + client_secret in Authorization → Basic → Username/Password

Nop
it’s not working, and got the same error as you see above

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.