401 Unauthorized invalid_token – troubleshooting Oracle Cloud IAM JWTs with ORDS

Symptoms

You are able to request an access token from OCI IAM. Yet, when you issue the subsequent request to your target resource (an ORDS endpoint), you receive the following message (error="invalid_token"): 

WWW-Authenticate: Bearer realm="Oracle REST Data Services", error="invalid_token"

Actions you’ve taken

1. You’ve done the following in OCI:
   • Registered an Integrated Application with Oracle Identity and Access Management (IAM)
   • Created a Primary Audience & Scope
   • Obtained your Client ID and Client Secret
   • Configured your networking correctly (or at least have high confidence it’s configured correctly)
   • Acquired all of the correct, relevant URIs:
     • Authorization
     • Access Token
     • JWK
2. You’ve configured the following in ORDS:
   • Created your JWT Profile according to the docs (or this tutorial)
   • Created the JWT Role and Privilege (which should be the same as the OCI Scope name)
   • And protected your target resource (aka ORDS API)
3. You’ve placed everything where it should be in your choice of API testing tool (cURL, Postman, Insomnia, etc.).

YET…you still receive this error="invalid_token" message, it is quite possible that you have not made the JWK URL publically accessible in OCI IAM. 

Solution

Here is how you can verify and resolve this issue. First, navigate to your domain, then select Settings.

If this Configure client access box is unchecked, it is likely the culprit. Check it, then select Save Changes (the button at the bottom of the screen).

This box must be checked so your application can automatically access a JWK URL (to be used for decoding a JWT) without having to sign in to the OCI tenancy.

Then, once you re-attempt your HTTP request, ORDS will be able to:

1. Access the JWK URL (which you’ve included when you created your JWT Profile)
2. Verify the authenticity of your JWT, and 
3. Respond with the results from your resource (ORDS endpoint)

Et voilà! And that’s it, you’re back in business! 

To-do list

I think we have some action items, too: 

• Investigate this error message and see if we can improve the message to the user (we’ve already filed an enhancement request on this)
• Update the docs to be more specific on this setting and where to find it (a documentation bug has already been filed for this)
• Determine if this is a good candidate for adding to the troubleshooting section of our guide
• Update my JWT tutorial

And that’s all for now. ORDS version 25.1 is right around the corner, so look out for the official release notes and my accompanying blog too!

Follow

And don’t forget to follow, like, subscribe, share, taunt, troll, or stalk me!

• YouTube
• LinkedIn
• Instagram
• TikTok
• GitHub
• Mail
• Facebook
• Medium