The token provided has insufficient scope [bonus_api] for this request

Cemil · May 23, 2019, 9:57am

Hi all,

I am trying to get a token from okta with client credentials and trying to validate that token in java application.

I created a web application on okta.

I created a custom scope.

I got a token with Postman with client credentials.

But when I try to validate that token in java I get this error.
Code : 403
www-authenticate: Bearer error=“insufficient_scope”, error_description=“The token provided has insufficient scope [bonus_api] for this request”, error_uri=“https://tools.ietf.org/html/rfc6750#section-3.1”, scope=“bonus_api”

Here is my java configuration.

okta:
  oauth2:
    grantType: client_credentials
    issuer: https://dev-xxxxx.okta.com/oauth2/default
    clientId: 0oah1zm05Y7BinmIS356
    clientSecret: xxxxxxxxxxxxx
    rolesClaim: groups
    scope: bonus_api

My pom.xml

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
    <groupId>com.okta.spring</groupId>
    <artifactId>okta-spring-boot-starter</artifactId>
    <version>1.2.0</version>
</dependency>

What can be the problem? Is my java configuration wrong?

Thanks in advance.

Govner · May 23, 2019, 10:13am

Any difference if you also include openid scope:

scope: openid bonus_api

Cemil · May 23, 2019, 11:39am

Unfortunately no difference

micah.silverman · May 23, 2019, 2:05pm

What are the required scopes in your access policy? That may be where validation is failing.

Cemil · May 23, 2019, 2:27pm

It was my mistake. In SecurityConfig I was trying to check If token had a particular role, group etc.

http.csrf().disable().authorizeRequests()
                    .antMatchers(HttpMethod.POST,"/api/xxxx").hasAuthority(ADMIN_AUTHORITY)
                    .anyRequest().permitAll()
                    .and()
                    .oauth2ResourceServer().jwt();

But when I got token with client credentials there was no role, group etc.

So I changed my code like this and it worked.

http.csrf().disable().authorizeRequests()
                        .antMatchers(HttpMethod.POST,"/api/xxxx").authenticated()
                        .anyRequest().permitAll()
                        .and()
                        .oauth2ResourceServer().jwt();

Neojet · February 5, 2021, 4:03pm

Hello Cemil, i’m trying without succes with postam to get a token with postman with client credentials flow.

can explain in details how did you do this please ?

I got in body urlencoded : grant_type : client_credentials, scope: goodone
headers : Accept : application/json
Authorization : with my clientid:client_secret encode as base64 and
i tried all without succes

and got this error…

And if i use like this :

i got this error :o

If you can help me , thank you !

tyty · February 5, 2021, 5:17pm

Perhaps try what is recommended here - For Postman in particular, it sounds like you will want to enter in your client_id + client_secret in Authorization → Basic → Username/Password

Neojet · February 8, 2021, 9:55am

Nop
it’s not working, and got the same error as you see above

system · January 26, 2024, 6:48pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.