Hi
I am using Gatling Maven Plugin and trying to generate an okta access token I am able to do teh steps untill it fetchs the okta token where I get this error
HTTP response:
status:
401 Unauthorized
body:
{“error”:“invalid_client”,“error_description”:“Browser requests to the token endpoint must use Proof Key for Code Exchange.”}
I referred the article at
https://support.okta.com/help/s/article/Browser-requests-to-the-token-endpoint-must-use-Proof-Key-for-Code-Exchange?language=en_US
Which says that I should remove Origin from the request.
Can anyone help how I can remove the header from the request?
HTTP request:
POST https://sso.xyz.com/oauth2/ausi42oq1q3k7OuZJ0h7/v1/token
headers:
referer: https://sso.xyz.com/oauth2/ausi42oq1q3k7OuZJ0h7/v1/authorize?client_id=0oaicbuf41sc34Kc00h7&sessionToken=20111zF_55aNDScQFvuV8ko3Wodtk7xc9I6Zhumq0LZV6-R-uVTJuPh&redirect_uri=https://XXXXXXX/&response_type=code&response_mode=form_post&state=test&nonce=YwNaWtnKXjOnlGa5ipKCD81ye4l8zYQL&prompt=none&scope=openid+profile
accept: /
origin: https://sso .xyz.johndeere.com
host: sso-qual.johndeere.com
content-type: application/x-www-form-urlencoded
content-length: 229
Currently, origin header is automatically added as soon as we have a referer header and the request is neither GET nor HEAD.
We could introduce an option to disable this in a future version.
In the meantime, you can try setting disableAutoReferer on the HttpProtocol.
Feel free to contribute, this is a pretty low hanging fruit: https://github.com/gatling/gatling/issues/4099
Hi Stephane
I read this late, and could see you added the fix.
This is going to happen at a global level, but better would be to provide an option to remove a specific header . Will give more power to the end. user. What do you think?
Now the problem is that for some I cannot work with as the referrer is removed.
Thanks
Nishant
In the meantime, you can try setting disableAutoReferer on the HttpProtocol , this option has other repercussion on the useage.
I have below snippet
.exec(http(“Get Token”)
.post(“https://xyz.com/oauth2//v1/token”)
.headers(constants.OktaFormHeaders)
.formParam(“grant_type”, “authorization_code”)
.formParam(“code”, “${code}”)
.formParam(“redirect_uri”, “https://xyz.com/”)
.formParam(“client_id”, “”)
.formParam(“client_secret”, " “)
.check(jsonPath(”$…access_token").saveAs(“access_token”)))
I am thinkging if below can be added
.exec(http(“Get Token”)
.post(“https://xyz.com/oauth2//v1/token”)
.headers(constants.OktaFormHeaders)
.remove(constants.OriginHeader)
.formParam(“grant_type”, “authorization_code”)
.formParam(“code”, “${code}”)
.formParam(“redirect_uri”, “https://xyz.com/”)
.formParam(“client_id”, “”)
.formParam(“client_secret”, " “)
.check(jsonPath(”$…access_token").saveAs(“access_token”)))
Not sure this can be done.