Validating Admin Token

Hi,

We are using JwT Verifier ( https://github.com/okta/okta-jwt-verifier-java) to validate the access token. Is there a way to validate Admin token in similar fashion ?.

Thanks

Hi @MDD

Can you please clarify what you are referring to through an admin token?

The API Token using which I can perform any ReST API call.

Thanks

Hi @MDD

You can do a simple cURL to list users using the API token, for example

curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${subdomain}.okta.com/api/v1/users?limit=200"

If the request returns response code 200, then the API token is valid and, if "errorCode" is present in the response body, then the token is invalid. Here is an example of an invalid token response from Okta

{
    "errorCode": "E0000011",
    "errorSummary": "Invalid token provided",
    "errorLink": "E0000011",
    "errorId": "oaekvtt2rAsQvKA-FIQMMmT5Q",
    "errorCauses": []
}

Thanks Dragos. Yes this would work but we are looking at an option to prevent hitting Okta API call if an invalid token is provided.In this approach,an attacker can perform a DoS attack by sending multiple rest calls with invalid token.

Thanks!!

Hi @MDD

You can use OAuth for Okta in this case, which allows endpoints to be accessed using an access token. As this are access tokens, they can be verified easily through JWT verifiers.

For API token, there is no option to check it without an actual call to an endpoint.