I have configured a Token Inline Hook that points to an external service. The service itself is working correctly ,I have tested it by sending a sample inline hook request JSON (using the payload generated by the Token Inline Hook preview tool), and it responds as expected. The external service is reachable and returns the proper response.
I attached this hook to the default policy, which is assigned to all clients. I also integrated a web application with Okta. When I log in to the application, authentication through Okta works successfully. However, my expectation was that the Token Inline Hook would be triggered during login and call the external service. That is not happening , I do not see any incoming requests in my service logs, nor do I see related entries in Okta’s system log.
Could you help me understand what I might be missing in the configuration?
Can you confirm which Authorization Server your application is using and that the server in question is the one for which you have added the hook? I’m wondering if your application is requesting its tokens from a different authorization server, which is why you are not seeing the hook getting triggered.
Usually the authorization server is specified as the issuer or sometimes audience for OpenID Connect/OAuth libraries, but it can also be confirmed by checking the iss value in the payload of the Access Token issued to the user. If you are using a custom authorization server, the iss will look something like https://oktaDomain/oauth2/aus1234567890
Thank you for the response. I have only only auth server listed under Security → API, that is the default one and the url has the following format https://integrator-xxxxxxx.okta.com/oauth2/default. I guess that answers your question.
Yes, I can log into my application after the authentication process is completed without the hook getting triggered. The external service is not even getting any hits during the authentication process. Though when I test my external service through Inline Hook’s preview tab, it calls the external service as expected and getting the expected response back.
The Access Rule does look to be configured correctly. I still wonder whether or not your OIDC application is requesting its tokens from this authorization server.
Its entirely possible that right now you are requesting tokens from the Org Authorization Server (which is not listed under Security → API → Authorization Servers, but does exist in all Okta orgs), which is why you are not seeing any requests being made to your hook endpoint
Can you double check the API calls your OIDC application makes to request tokens from Okta and share them here?
With the issuer set to https://subdomain.okta.com, the application was able to request tokens from the Org Authorization Server. Since there’s not configuration needed to set-up this server (unlike a custom one, where you need to create these access policies and rules). So thats why the authentication was working, but the hook wasn’t firing because the wrong server was issuing the tokens.