Doubt:
1, regarding Remote introspection, the gateway user, client id and client secret should be provided but not sure which value should be put. the gateway user should be added in the okta? client id and client secret is the ones that we can find in the okta application with type web?
2, we have published the API and the gateway endpoint is “http://.gateway.webmethodscloud.com/gateway/testokta/1.0”
we tried to access the service through “http://.gateway.webmethodscloud.com/gateway/testokta/1.0/booking”, however, we got the error message as below:
“Exception”: “API Gateway encountered an error. Error Message: Unauthorized application request. Request Details: Service - testokta, Operation - /booking, Invocation Time:5:33:04 AM, Date:May 26, 2020, Client IP - 167.220.242.61, User - Default and Application:sys:defaultApplication”
However can we resolve the error?
Gateway User : a valid API Gateway user. You could use the same username use for signing into API Gateway.
Client ID , Client Secret : These details are from Okta > Applications screen for your client
API Access
Request to follow all the steps in the above mentioned article, importantly creating an Oauth Scope for your API (Step 5).
Thanks Ramesh. My doubt is that if I just use the single page application, what should I input for client secret in the remote introspection section? because SPA just has the client id, not client_secret.
Now I use postman to get the access token and use the okta intropection endpoint to verify that the access token is valid.
But If I put the access token in the header with key “Authectication” and value “Bearer ”, then send the get request according to the article you mentioned, I always get the error message as below:
“Exception”: “API Gateway encountered an error. Error Message: Token specified is invalid or has expired… Request Details: Service - testokta, Operation - /booking, Invocation Time:7:20:09 AM, Date:May 28, 2020, Client IP - 167.220.233.62, User - Default and Application:sys:defaultApplication”.
Remote introspection configuration is not specific to a particular application / client. It is an auth server level configuration.
Typically a special purpose, confidential client is created for this purpose and its credentials are configured in this page.