You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree to follow the Code of Conduct that this project adheres to.
I have searched the issue tracker for an issue that matches the one I want to file, without success.
I am not looking for support or already pursued the available support channels without success.
Version
2.39.0
Storage Type
Kubernetes
Installation Type
Official Helm chart
Expected Behavior
When making access token exchange call using the IDP access token to DEX it must return a new access token in response.
Note: we are using client credential flow to obtain access token from IDP
Actual Behavior
When making access token exchange call to DEX following error is bring returned {HTTP Status: 401 unauthorized. Response: {"error":"access_denied"}}. In Dex logs it is showing the following message "level=error msg="failed to verify subject token: oidc: error loading userinfo: 403 Forbidden: "
Steps To Reproduce
Obtain access token from upstream IDP(Okta)
Making access(obtained access token from upstream) token exchange call to Dex to get new access token generated by Dex.
Return status code 401 with error {"error": "access_denied"}
Preflight Checklist
Version
2.39.0
Storage Type
Kubernetes
Installation Type
Official Helm chart
Expected Behavior
When making access token exchange call using the IDP access token to DEX it must return a new access token in response.
Note: we are using client credential flow to obtain access token from IDP
Actual Behavior
When making access token exchange call to DEX following error is bring returned {HTTP Status: 401 unauthorized. Response: {"error":"access_denied"}}. In Dex logs it is showing the following message "level=error msg="failed to verify subject token: oidc: error loading userinfo: 403 Forbidden: "
Steps To Reproduce
Additional Information
curl --location 'http://{{DEX_URL}}/dex/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Basic MG9hMjF2bjc4eTBhVDBzN2Ywxxxxx'
--data-urlencode 'connector_id=okta'
--data-urlencode 'scope=profile groups openid email'
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange'
--data-urlencode 'subject_token=xxxxxxx4QUtnNWl0RmpLOmp0aSI6IkFULnNFxxxxxxxxxxxxxxxxxxxxxxxx'
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token'
Configuration
No response
Logs
No response
The text was updated successfully, but these errors were encountered: