Unable to get the okta user info through bearer token generated through client credentials. I am getting 403 forbidden error.
Please find the url along with the bearer token https://dev-70769058.okta.com/oauth2/v1/userinfo
Bearer Token - eyJraWQiOiJ3S0Jlek9OTFYtS3hoaTFKOTBvX2hFMFk2S2tseVFtOFFKV2tJU1p5VlNRIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlNTNjhvV0VUVVVGTkJtT1dWcUViRGtLbUVTRFcxenk4M0k1ZHNLVVRLTWsiLCJpc3MiOiJodHRwczovL2Rldi03MDc2OTA1OC5va3RhLmNvbSIsImF1ZCI6Imh0dHBzOi8vZGV2LTcwNzY5MDU4Lm9rdGEuY29tIiwic3ViIjoicmF2aS5raXNob3JlMTFAb2t0YS5jb20iLCJpYXQiOjE2ODUxMDEzOTEsImV4cCI6MTY4NTEwNDk5MSwiY2lkIjoiMG9hOWxkd2cyNTFUeWNUekc1ZDciLCJ1aWQiOiIwMHU5bGtkdXg3Qlpxemx2YzVkNyIsInNjcCI6WyJva3RhLnVzZXJzLnJlYWQiXSwiYXV0aF90aW1lIjoxNjg1MTAxMzg2fQ.sNR8WMbUtcPUV176nkoffvVTueoMZpa7pJyiK_dKBmQD4fUjk-K7g4DqsMGmOhzxcel-qMR6EGYyYY4GsA0FtTCXpykSW_Pxfa8LJAoOv8ytKjbLiL6TPAQJ464UXydOKkeUSSue1wVilP1qP88YKEI5IQjOWPKVx2JmX4LDnZgaLFoavia-cjI27SUnmZ5OX8W_8Y4QzAb_XJt6w4lTPc_KbBMVCQuPrmYn5cdRGjGdfkvp4cbXKxG3t23lTSULe7JFaNLVqAmAw5HTwf_kKsyaIIPo-FnQ8UkdCgIgriWZCdRR7DH5W9SMmcVNj27JCNmREyk70H_CcgI4x541rw.
The openid scope is required to use the Userinfo endpoint, so just make sure you request it and any other scopes you require and you should be set. If you want to get other information about the user available at Userinfo (e.g. user attributes like given_name), you’ll also want to request the profile scope, which is another standard scope as defined for OpenID Connect.
I have a requirement to get the logged in user details like “username, password” along with the group which the user belongs to. I am using the “openId groups profile” scope to get the username, group and sub from claims. Could you please let me know how to get the password.
As per our project implementation we have configured the Okta openId details like Provider Url and Client Id in AWS Identity Provider and created AWS policy and role to map to the ‘Web Identity’. After that we have tried calling AmazonSecurityTokenServiceClient.AssumeRoleWithWebIdentity request by passing the Okta IdentityToken to generate the temporary AWSCredentials to access the S3 Bucket. Initially it worked for 1 day then after that when we are trying to call the AWS, it is giving us this error "Amazon.SecurityToken.Model.InvalidIdentityTokenException: ‘OpenIDConnect provider’s HTTPS certificate doesn’t match configured thumbprint’.
Could you please let us know how to resolve this issue, do we need to generate a new thumbprint from Okta and add it to AWS or will it change every 1 day or is there any setting specific to that we have to provide?