Unable to access rest apis

Hi I’m having a SPA (openid connect with pkce)React application which provides me access token with that token if I’m trying to access okta rest api (api/v1/users) I’m getting 401 unauthorised error. Can you please help me with that ?

Are you using the Org Authorization Server, with the issuer in your tokens appearing as https://oktaDomain?

Okta API scopes are not currently available when using a Custom Authorization Server, such as the one called “default” where the issuer in your token is https://oktaDomain/oauth2/default, and you must use the Org Authorization Server to request a token with these scopes.

Another thing you may be running into: Keep in mind that the user who is granted these tokens MUST have sufficient admin permissions to make the API call you are making, regardless of the scopes you are requesting. This is the same requirement when you use the api keys instead of OAuth tokens. You can check what admin permissions are needed for a given resource by reviewing this page.

hi @andreaskouras thanks for noticing in such a short period,

The issuer in my token is appearing as https://{org}/oauth2/default, so I hope it comes under default custom authorization server, I’m not able to find org authorization server in my application, could you please let me know the steps how to add the org authorization server, it would be very helpful.

Thank you,
Pream

Set the issuer for your application to https://oktadomain.com to have it use the Org Authorization Server. For example, if you are using the React SDK and redirecting to Okta for login, you want to configure your OktaAuth instance to use that as the issuer. If you are using the widget so that you have an embedded login page, you would do the same thing in the authParams.

The Org one is not visible under the Authorization Servers tab as it is un-customizable and is separate from the feature that grants you the ability to use custom authorization servers found there.

Hi @andreaskouras I have set the issuer to (https://{org}oktadomain.com/) and got the token with that when I’m trying access okta api {api/v1/users} getting 403 forbidden error in postman , I have granted okta.users.read in okta application also and I’m using super admin user.

Thanks,
Pream

How are you formatting your API request? It’s possible you are not formatting the Authorization header correctly when using OAuth tokens, as it is a little different than when you use API keys.

Instead of having the Authorization header say “SSWS {{apikey}}” have it say “Bearer {{accessToken}}” or use the OAuth 2.0 option in Postman to format it for you.

hi @andreaskouras Sorry for the late reply , I was able to access the api by following the steps provided by you. however we have a scenario where we need to give notification to user in our react application before few days of password expiry, for that scenario we required to know password expire max age days currently I tried with policies api, however its only accessible by super admin , is there any alternative way to know password expire days or date when it gets expired. if so please let me know it will be very helpful.

Thank you,
Pream Kumar

How do you users log into your application? If users go through the Okta hosted widget or you use the /authn endpoint directly, they should already be prompted 5 days before their password expires. See Semona’s post about this in another thread.

If you check out the /authn endpoint documentation, you can see that the exact information is returned in the response, including how many days until the password expires.

Let me know if you see something else/don’t see this warning show up for a user whose password is about to expire.