Unable to get the okta user info through bearer token generated through client credentials. I am getting 403 forbidden error

ravikishore · May 26, 2023, 12:17pm

Unable to get the okta user info through bearer token generated through client credentials. I am getting 403 forbidden error.

Please find the url along with the bearer token
https://dev-70769058.okta.com/oauth2/v1/userinfo
Bearer Token - eyJraWQiOiJ3S0Jlek9OTFYtS3hoaTFKOTBvX2hFMFk2S2tseVFtOFFKV2tJU1p5VlNRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlNTNjhvV0VUVVVGTkJtT1dWcUViRGtLbUVTRFcxenk4M0k1ZHNLVVRLTWsiLCJpc3MiOiJodHRwczovL2Rldi03MDc2OTA1OC5va3RhLmNvbSIsImF1ZCI6Imh0dHBzOi8vZGV2LTcwNzY5MDU4Lm9rdGEuY29tIiwic3ViIjoicmF2aS5raXNob3JlMTFAb2t0YS5jb20iLCJpYXQiOjE2ODUxMDEzOTEsImV4cCI6MTY4NTEwNDk5MSwiY2lkIjoiMG9hOWxkd2cyNTFUeWNUekc1ZDciLCJ1aWQiOiIwMHU5bGtkdXg3Qlpxemx2YzVkNyIsInNjcCI6WyJva3RhLnVzZXJzLnJlYWQiXSwiYXV0aF90aW1lIjoxNjg1MTAxMzg2fQ.sNR8WMbUtcPUV176nkoffvVTueoMZpa7pJyiK_dKBmQD4fUjk-K7g4DqsMGmOhzxcel-qMR6EGYyYY4GsA0FtTCXpykSW_Pxfa8LJAoOv8ytKjbLiL6TPAQJ464UXydOKkeUSSue1wVilP1qP88YKEI5IQjOWPKVx2JmX4LDnZgaLFoavia-cjI27SUnmZ5OX8W_8Y4QzAb_XJt6w4lTPc_KbBMVCQuPrmYn5cdRGjGdfkvp4cbXKxG3t23lTSULe7JFaNLVqAmAw5HTwf_kKsyaIIPo-FnQ8UkdCgIgriWZCdRR7DH5W9SMmcVNj27JCNmREyk70H_CcgI4x541rw.

Please help me to resolve this issue.

phi1ipp · May 26, 2023, 2:31pm

Client credentials flow does not have any user associated with it, b/c it’s obtained by services, applications, etc

andrea · May 30, 2023, 3:32pm

hmm, I’m not sure this is CC flow though. There’s a uid claim in the token

It looks like this question was asked over here as well, and the problem is likely that there is no openid scope granted to the token:

ravikishore · May 30, 2023, 4:32pm

Hi Andrea,

Thank you so much. I was trying to resolve the issue for a long time. As you suggested, just changing the scope to ‘openid’ resolved the issue.
I am getting the userinfo from the endpoint.

Could you please let me know how to give access to other scopes in okta.

Thank You,
Ravikishore.

andrea · May 30, 2023, 9:13pm

The openid scope is required to use the Userinfo endpoint, so just make sure you request it and any other scopes you require and you should be set. If you want to get other information about the user available at Userinfo (e.g. user attributes like given_name), you’ll also want to request the profile scope, which is another standard scope as defined for OpenID Connect.

ravikishore · June 1, 2023, 6:47am

Thank You Andrea for your help.

ravikishore · June 22, 2023, 11:16am

Hi andrea,

I have a requirement to get the logged in user details like “username, password” along with the group which the user belongs to. I am using the “openId groups profile” scope to get the username, group and sub from claims. Could you please let me know how to get the password.

Thank you,
Ravikishore.

andrea · June 22, 2023, 7:28pm

For security reasons, there is no way to receive an end-users password via API or other means

ravikishore · June 30, 2023, 10:20am

Hi Andrea,

As per our project implementation we have configured the Okta openId details like Provider Url and Client Id in AWS Identity Provider and created AWS policy and role to map to the ‘Web Identity’. After that we have tried calling AmazonSecurityTokenServiceClient.AssumeRoleWithWebIdentity request by passing the Okta IdentityToken to generate the temporary AWSCredentials to access the S3 Bucket. Initially it worked for 1 day then after that when we are trying to call the AWS, it is giving us this error "Amazon.SecurityToken.Model.InvalidIdentityTokenException: ‘OpenIDConnect provider’s HTTPS certificate doesn’t match configured thumbprint’.
Could you please let us know how to resolve this issue, do we need to generate a new thumbprint from Okta and add it to AWS or will it change every 1 day or is there any setting specific to that we have to provide?

Thanks & Regards,
Ravikishore.