Okta authorization fails

pbains1 · July 11, 2022, 7:28pm

Prior to any action my script is required to authenticate via the UserId/Password credentials to get the valid authentication token. Authentication is based on a standard OAuth 2 grant type: Password Credentials. End User will need to use the credential’s and need to make a call to the OKTA URL to get the proper token. Bearer token that is to be returned by the OKTA authentication endpoint. The following CURL command works. (I also have a working postman and Jmeter script).
curl --location --request POST ‘https://login.epo.org/oauth2/aus3up3nz0N133c0V417/v1/token’ --header ‘Authorization: Basic MG9hM3VwZG43YW41cE1JOE80MTc=’ --header ‘Content-Type: application/x-www-form-urlencoded’ --header ‘Cookie: JSESSIONID=410A141E003CA043900BD8F707007F74’ --data-urlencode ‘grant_type=password’ --data-urlencode ‘username=akhtar1508@gmail.com’ --data-urlencode ‘password=Test@bdds1’ --data-urlencode ‘scope=openid’.

The following K6 script fails with a http 400 bad request error and the authorisation fails. Is there something obvious i am doing wring in this script.

import http from ‘k6/http’
import { check } from “k6”;

export default function () {
var url = ‘https://login.epo.org/oauth2/aus3up3nz0N133c0V417/v1/token’;

var headerParam = {
    headers: {
        'Authorization': 'Basic MG9hM3VwZG43YW41cE1JOE80MTc=',
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': 'JSESSIONID=410A141E003CA043900BD8F707007F74'
    }
};

//lets define body - accepts email and password 
var payload = JSON.stringify({
    grant_type: 'password',
    username: 'akhtar1508@gmail.com',
    password: 'Test@bdds1',
    scope: 'openid'
});

// URL, HEADER, JSON BODY
let response = http.post(url, headerParam, payload)

check(response, {
    success: r => r.status == 200
  });

}

pbains1 · July 11, 2022, 7:29pm

There is a proxy in between so i run the following command from the terminal:
HTTPS_PROXY=http://internal\osa0002:sasp2osa@proxylb.internal.epo.org:8080 k6 run script.js.

I get the following response:

HTTP/1.1 400 Bad Request
Connection: close
Transfer-Encoding: chunked
Content-Security-Policy: frame-ancestors ‘self’
Content-Type: application/json
Date: Mon, 11 Jul 2022 19:07:43 GMT
P3p: CP=“HONK”
Server: nginx
Set-Cookie: sid=“”; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: autolaunch_triggered=“”; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Strict-Transport-Security: max-age=315360000; includeSubDomains
X-Content-Type-Options: nosniff
X-Okta-Request-Id: Ysx0_zhtpKfQt2QODR1YTAAAAHk
X-Xss-Protection: 0

mstoykov · July 12, 2022, 7:42am

hi @pbains1,

You have switched the order of the headers and the body in the http.post call - it is “url, body, params”

pbains1 · July 12, 2022, 8:20am

Hi mystoykov,

I have switched the order as you quite rightly observed they were the wrong way around. However i now get another error (after switching debugging to full) which i dont understand. As you can see i have specified the grant_type in the header as grant_type: ‘password’ but the error seems to suggest that it is not specified.

{“error”:“invalid_request”,“error_description”:“The token request must specify a ‘grant_type’. Valid values: [password, authorization_code]”}

mstoykov · July 12, 2022, 9:33am

You are also sending a json body in k6 but a urlencoded one with curl.

Does it work if you just don’t call JSON.stringify on the object before you send it?

pbains1 · July 12, 2022, 9:59am

Hi,

I removed the JSON.stringify and the request works now. Thanks a lot.

Parm