Hi,
We are using JwT Verifier ( https://github.com/okta/okta-jwt-verifier-java) to validate the access token. Is there a way to validate Admin token in similar fashion ?.
Thanks
The API Token using which I can perform any ReST API call.
Thanks
Hi @MDD
You can do a simple cURL to list users using the API token, for example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${subdomain}.okta.com/api/v1/users?limit=200"
If the request returns response code 200, then the API token is valid and, if "errorCode" is present in the response body, then the token is invalid. Here is an example of an invalid token response from Okta
{
"errorCode": "E0000011",
"errorSummary": "Invalid token provided",
"errorLink": "E0000011",
"errorId": "oaekvtt2rAsQvKA-FIQMMmT5Q",
"errorCauses": []
}
Thanks Dragos. Yes this would work but we are looking at an option to prevent hitting Okta API call if an invalid token is provided.In this approach,an attacker can perform a DoS attack by sending multiple rest calls with invalid token.
Thanks!!
Hi @MDD
You can use OAuth for Okta in this case, which allows endpoints to be accessed using an access token. As this are access tokens, they can be verified easily through JWT verifiers.
For API token, there is no option to check it without an actual call to an endpoint.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.