This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Authorization from Dev portal doesn't work for Oauth2 clientCredentials flow integration with Okta

Posted on 02-11-2021 02:49 AM
artemptushkin
New Member
Reply posted on --/--/---- --:-- AM

Hello!

Authorization button doesn't work with Okta JWT token provider and `clientCredentials` flow.

Having `securitySchemes` section like:

securitySchemes:
  publicApiKey:
    type: apiKey
    name: Authorization
    in: header
  myOAuth2:
    type: oauth2
    flows:
      clientCredentials:
        tokenUrl: https://my.okta.com/oauth2/default/v1/token
        scopes:
	  api_public: access to the endpoint

Dev portal web UI always sends `origin` header. Okta responds with `Access-Control-Allow-Origin` when creds are valid, but the response code is 401 and the body:

{
    "error": "invalid_client",
    "error_description": "Browser requests to the token endpoint must use Proof Key for Code Exchange."
}

because of https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-fo....

Thus, I question is it possible to change something on Apigee side to prevent sending `origin` header at least for the `clientCredentials` flow?

My point here: any server besides Okta should consider requests with `origin` header as browser requests and thus it has its right to respond with an error when it expects a call from a server.

----
This is not similar but close to https://community.apigee.com/questions/61809/dev-portal-invocation-external-oauth.html as Okta is customizable and can respond with the same header as the origin in the CORS header.

0 1 408
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Artem, let me see if I can find someone to help out with this question.

0 Likes