Fix: ApiKey authentication returning 403 Invalid session errors #94
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f9ba17d to
c10f86a
Compare
BinoyOza-okta
previously approved these changes
Nov 3, 2025
Fixes API token authentication that was broken due to Authorization header never being added to HTTP requests. The $headers variable was created but never merged into $HeaderParameters. Changes: - Updated api_client.mustache template to add Authorization header - Fixed OktaApiClient.ps1 (generated from template) - Added integration tests for ApiKey authentication Closes #91 Closes #86 Closes #52 Co-authored-by: TriggerAu <TriggerAu@users.noreply.github.com>
c10f86a to
920c9db
Compare
BinoyOza-okta
approved these changes
Nov 3, 2025
This was referenced Nov 4, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes API token authentication that was completely broken, causing all requests with
-ApiKeyparameter to fail with 403 "Invalid session" errors. This fix resolves multiple reported issues affecting customers who were completely blocked from using API token authentication.Issues Fixed
Closes #91
Closes #86
Closes #52
Problem
Customers using
Set-OktaConfiguration -ApiKey @{apitoken = "..."}were unable to authenticate to Okta API. The authentication header was never being added to API requests, causing all calls to fail with 403 errors.Root Cause: In
OktaApiClient.ps1(lines 82-85), the code created a local$headersvariable with the Authorization header but never merged it into$HeaderParameters, which is what actually gets sent with the HTTP request.Solution
$HeaderParameters["Authorization"]ApiKeyPrefixconfigurationapitokenkey existenceDefaultHeadersworkaroundChanges
Modified:
src/Okta.PowerShell/Private/OktaApiClient.ps1- Fixed ApiKey authentication logic (11 lines)README.md- Updated documentation to remove outdated warnings and promote ApiKey as recommended approach (34 lines).github/CODEOWNERS- Added @manmohan-shaw-okta as codeownerAdded:
tests/Integration/ApiKeyAuth.Integration.Tests.ps1- Integration test coverage for ApiKey authentication (48 lines)Testing
Get-OktaUser -UserId 'me'successfully authenticates with API tokenImpact
Before: API token authentication completely non-functional - customers blocked
After: API token authentication works as documented
Related PRs
This PR supersedes:
Credits
Co-authored-by: @TriggerAu