The token provided has insufficient scope [bonus_api] for this request

Hi all,

I am trying to get a token from okta with client credentials and trying to validate that token in java application.

I created a web application on okta.


I created a custom scope.

I got a token with Postman with client credentials.

But when I try to validate that token in java I get this error.
Code : 403
www-authenticate: Bearer error=“insufficient_scope”, error_description=“The token provided has insufficient scope [bonus_api] for this request”, error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1”, scope=“bonus_api”

Here is my java configuration.

okta:
  oauth2:
    grantType: client_credentials
    issuer: https://dev-xxxxx.okta.com/oauth2/default
    clientId: 0oah1zm05Y7BinmIS356
    clientSecret: xxxxxxxxxxxxx
    rolesClaim: groups
    scope: bonus_api

My pom.xml

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>1.2.0</version>
</dependency>

What can be the problem? Is my java configuration wrong?

Thanks in advance.

Any difference if you also include openid scope:

scope: openid bonus_api

Unfortunately no difference

What are the required scopes in your access policy? That may be where validation is failing.

It was my mistake. In SecurityConfig I was trying to check If token had a particular role, group etc.

http.csrf().disable().authorizeRequests()
                    .antMatchers(HttpMethod.POST,"/api/xxxx").hasAuthority(ADMIN_AUTHORITY)
                    .anyRequest().permitAll()
                    .and()
                    .oauth2ResourceServer().jwt();

But when I got token with client credentials there was no role, group etc.

So I changed my code like this and it worked.

http.csrf().disable().authorizeRequests()
                        .antMatchers(HttpMethod.POST,"/api/xxxx").authenticated()
                        .anyRequest().permitAll()
                        .and()
                        .oauth2ResourceServer().jwt();
1 Like