{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Developer Portal (Integrated) /
avatar image
0
Question by Artem Ptushkin · Feb 11 at 10:49 AM · 31 Views oauth 2.0portaloktaauthroization

Authorization from Dev portal doesn't work for Oauth2 clientCredentials flow integration with Okta

Hello!

Authorization button doesn't work with Okta JWT token provider and `clientCredentials` flow.

Having `securitySchemes` section like:

securitySchemes:
  publicApiKey:
    type: apiKey
    name: Authorization
    in: header
  myOAuth2:
    type: oauth2
    flows:
      clientCredentials:
        tokenUrl: https://my.okta.com/oauth2/default/v1/token
        scopes:
	  api_public: access to the endpoint

Dev portal web UI always sends `origin` header. Okta responds with `Access-Control-Allow-Origin` when creds are valid, but the response code is 401 and the body:

{
    "error": "invalid_client",
    "error_description": "Browser requests to the token endpoint must use Proof Key for Code Exchange."
}

because of https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-for-Code-Exchange.

Thus, I question is it possible to change something on Apigee side to prevent sending `origin` header at least for the `clientCredentials` flow?

My point here: any server besides Okta should consider requests with `origin` header as browser requests and thus it has its right to respond with an error when it expects a call from a server.

----
This is not similar but close to https://community.apigee.com/questions/61809/dev-portal-invocation-external-oauth.html as Okta is customizable and can respond with the same header as the origin in the CORS header.

Comment
Add comment Show 1
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino-at-Google ♦♦   · Feb 11 at 05:00 PM 0
Link

Artem, let me see if I can find someone to help out with this question.

Close

0 Answers

  • Sort: 

Follow this Question

Answers Answers and Comments

75 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

I cannot locate the CSS style sheets for any of the pages in the portal that I have created. 1 Answer

Spec editor renders openAPI tags, but portal does not 1 Answer

Integrating API Developer portal Open API specification security schemes with Okta. 1 Answer

Integrated Developer Portal User Management B2B and B2C Scenarios 0 Answers

Can't authenticate API in developer's portal 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges