Have added api key as authorization header, but when calling the request from angular app cors error is thrown. i have added in trusted origin too. the error for the request i get is
image 1893×173 16.3 KB

Kindly help me to get over this.

Thanks,
venkatesh.

I called from my .net core backend with authorization header, but the response is like 403 forbidden.
Error response is like
{“errorCode”:“E0000005”,“errorSummary”:“Invalid session”,“errorLink”:“E0000005”,“errorId”:“oaeXDCjsTFYSMiV4Z6G8xeCHg”,“errorCauses”: }. Should i send session token with this ?
Any help would be appreciated. Thanks.

The Complete error message when calling from backend .net framework
using httpClient.
StatusCode: 403, ReasonPhrase: ‘Forbidden’, Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
Date: Mon, 19 Apr 2021 01:39:20 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Public-Key-Pins-Report-Only: pin-sha256=“r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8=”; pin-sha256=“MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ=”; pin-sha256=“72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI=”; pin-sha256=“rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg=”; max-age=60; report-uri=“ https://okta.report-uri.com/r/default/hpkp/reportOnly ”
Vary: Accept-Encoding
x-okta-request-id: YHzfSNO2nL7Znbdv75NwxwAADkU
x-xss-protection: 0
P3P: CP=“HONK”
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=315360000; includeSubDomains
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: application/json

using “Bearer {{access token}}” won’t work unless you are implementing OAuth for Okta AND have either a user with high enough permissions (an Admin user per this role chart ) or a Service app requesting tokens with the correct Okta scopes (in this case, okta.users.read )

If you want to use Okta issued OAuth tokens to access Okta resources, I recommend reviewing these two guides: User-scoped tokens OR a Service app .

Note that in both cases, you MUST use the built-in Org Authorization server, discovery endpoint https://oktaDomain/.well-known/oauth-authorization-server , and not a Custom Authorization Server (such as “Default”) to mint your tokens.

I have similar issue with api/v1/users

I am tryingg to create a user (POST request), I have trusted origin as localhost:4200 specified in settings for my custom domain but it sill failing with CORS error

I am trying to call this code myself, without OKTA’s widget.

Should I do anything else?

How are you authorizing the call to api/v1/users, api/v1/users/{userId} , or api/v1/users/me? Only endpoints that have a CORS tag under them in our API docs are CORS enabled, and api/v1/users (without a userId or me ) is NOT a CORS enabled endpoint so you cannot make a List Users request from the front-end.

Obviously not as I am trying to register user via Okta endpoint.

Why OIDC endpoints are not marked with this sign but available for CORS?

Is there any way to make user registration available via frontend, without any backend?

I tried to run Okta sample and I see a lot of endpoints used by Okta widget which are missing in documentation
POST https://{CUSTOM_DOIMAIN}/api/v1/registration/reg19dz0r3BzH8PPa4x7/register
POST https://{CUSTOM_DOIMAIN}/api/v1/authn
POST https://{CUSTOM_DOIMAIN}/user/welcome/login/internal
POST https://{CUSTOM_DOIMAIN}/security/xsrf-token
POST https://{CUSTOM_DOIMAIN}/user/security_fields

Is this registration process documented anywhere?

There are no publicly documented endpoints for Self-Service Registration in an Okta Classic org and we are moving to a new model for this use case in the Okta Identity Engine platform.

Several of the other routes you note remain undocumented as they are only available/used internally by the Okta-hosted login page. If you are unable to find documentation about a given API endpoint, then we do not support developers interacting with it directly.

I should note that /authn IS a documented endpoint and would be use to log a user in if making a custom login page.

AuthN isn’t like for anonymous user, but it’s a problem that you don’t document this endpoints for some reasons.

I just don’t want to make registration on backend site - with okta API token - as I just want to hit auth server even when my backend is down.

New model doesn’t contain samples for browser, are you aware of any possible changes in future for the new model with browser?

I just want to use either password/webauthn approach without any custom okta widgets