While making access token exchange call to Dex /userinfo API is giving 403 Forbidden

[kuriman01]

Preflight Checklist

• [X] I agree to follow the Code of Conduct that this project adheres to.
• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I am not looking for support or already pursued the available support channels without success.

Version

2.39.0

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

When making access token exchange call using the IDP access token to DEX it must return a new access token in response.

Note: we are using client credential flow to obtain access token from IDP

Actual Behavior

When making access token exchange call to DEX following error is bring returned {HTTP Status: 401 unauthorized. Response: {"error":"access_denied"}}. In Dex logs it is showing the following message "level=error msg="failed to verify subject token: oidc: error loading userinfo: 403 Forbidden: "

Steps To Reproduce

1. Obtain access token from upstream IDP(Okta)
2. Making access(obtained access token from upstream) token exchange call to Dex to get new access token generated by Dex.
3. Return status code 401 with error {"error": "access_denied"}

Additional Information

curl --location 'http://{{DEX_URL}}/dex/token' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Authorization: Basic MG9hMjF2bjc4eTBhVDBzN2Ywxxxxx' --data-urlencode 'connector_id=okta' --data-urlencode 'scope=profile groups openid email' --data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token' --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' --data-urlencode 'subject_token=xxxxxxx4QUtnNWl0RmpLOmp0aSI6IkFULnNFxxxxxxxxxxxxxxxxxxxxxxxx' --data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token'

Configuration

No response

Logs

No response

[scott-sudweeks]

I am also experencing this issue. Logs from Okta show a successful user login and a successful issuance of an access token to Dex.

However Dex does not return it to the user.

[nabokihms]

access_denied looks like a response from Okta, which we cannot debug without seeing the connector settings

[alukach]

@nabokihms What makes you think this is Okta's response? I'm seeing a similar 403 when using the following config:

issuer: http://localhost:5556/dex

storage:
  type: memory

web:
  http: 0.0.0.0:5556
  allowedOrigins: ['*']

oauth2:
  skipApprovalScreen: true

staticClients:
  - id: client
    redirectURIs:
      - "http://localhost:8000/docs/oauth2-redirect"
    name: "Example client"
    secret: super-super-secret

enablePasswordDB: true

staticPasswords:
  - email: "[email protected]"
    username: "admin"
    # password: "password"
    # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

When my browser sends an OPTIONS request, it receives a 403:

▶ curl 'http://localhost:5556/dex/token' \
  -X 'OPTIONS' \
  -H 'Access-Control-Request-Headers: x-requested-with' \
  -H 'Access-Control-Request-Method: POST' \
  -H 'Origin: http://localhost:8000' --verbose
*   Trying 127.0.0.1:5556...
* Connected to localhost (127.0.0.1) port 5556 (#0)
> OPTIONS /dex/token HTTP/1.1
> Host: localhost:5556
> User-Agent: curl/8.1.2
> Accept: */*
> Access-Control-Request-Headers: x-requested-with
> Access-Control-Request-Method: POST
> Origin: http://localhost:8000
> 
< HTTP/1.1 403 Forbidden
< Date: Fri, 14 Mar 2025 00:36:51 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

(let me know if this should be moved to a separate issue)

[cardoe]

The OPTIONS piece is likely related to #939.

[MehdiRtal]

+1