空手道 API 测试 - Bearer error="invalid_token", error_description="观众<number>是无效的”</number>

Question

Postman headers I'm using secret keys to generate an access token that I will use to authenticate for an API that I call. The issue is that I'm getting the error:

status code was: 401, expected: 200 WWW-Authenticate: Bearer error="invalid_token", error_description="The audience value is invalid"

This is how I call the API

Given url `https://login.microsoftonline.com/tenant_id/oauth2/token`
And form field grant_type = `client_credentials`
And form field client_id = `value`
And form field client_secret = `value`
When method post
Then status 200

match response.access_token != null

def access_token = response.access_token

print access_token

Given header Authorization = 'Bearer ' + access_token
Given url 'url'
And header accept = `plain/text`
And header 'X-Mimic-User' = `confidential`
When method GET
Then status 200

I'm expecting to the authenticated to the API with the generated access token.

Answer 1

So it appears your error may be related to the Authorization header, although the error description is hard to decipher, possibly scope related? I would list the URL first, not the header, unless you are re-using it, and want to configure the value for subsequent requests. Another way of setting the Bearer token is:

And match response.access_token == '#present'

* def oauthToken = `Bearer ${response.access_token}`

But really the most important thing is for you to check your request, including headers and compare it between Karate and Postman to see what is different.

Answer 2

From what I see in the error description, the first API call made towards your auth provider is returning a 200 with an access token. but the second call you are making to your application server seems to be failing to see the audience value in your access token.

I doubt you are using the same client credentials input ( client_id , client_secret ) in your postman and karate setup. Make sure they are the same.

I would also confirm if the access token received is having the aud parameter by checking it in https://jwt.io or any other tool you trust to decode your access token JWT. for the sake of experimentation do the same for the access token you got from postman as well.

Ideally, these configurations are very internal to your application and identity team and may not be directly related to karate. The other teams mentioned should be the ones best to guide you.