We have an Oauth2 app (OIDC - Web app) and after authenticating with it we are trying to hit this endpoint integrations/api/v1/api-services/ but for some reason we are getting 403 - Forbidden
{
"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "oaejnZ2oM4pQPyWy-buEDEBEA",
"errorCauses": []
}
We are requesting the scope okta.oauthIntegrations.read during Oauth2 process
The OAuth2 app has this scope granted
The user who is logging in during the OAuth flow has “Read-Only Administrator” Role
Inspecting the token we got from OAuth I see the scope is there (picture)
On the first ticket someone from Okta told me that:
I also ran this by my developer colleagues and they mentioned that the /integrations endpoint is for API Service applications that are in the OIN . API Service Applications are not Web apps. You should probably use the Apps endpoint with the okta.apps.read scope instead.
(which indeed is mentioned in the documentation) but that’s strange because I’m able to make the request with a Super Admin user. If the endpoint was restricted to OIN apps wouldn’t it have failed with the Super Admin login too ?
That comment from the original thread you opened was to point you to a better solution for your use case: If you are trying to fetch information about a custom OIDC app or an SSO OIDC app from the OIN, then you should use the /api/v1/apps which will return that type of application
Do you additionally have a need to get information about API Service Integrations by a Read Only admin?
Do you additionally have a need to get information about API Service Integrations by a Read Only admin?
Yeah, in the circumstances I need to verify the return of /api-services/ . But is that behavior expected (only be able to get a response from Super Admin role) ? or maybe Read-only Admin is not enough for some reason.
Also the `/api/v1/apps` and `api-services` are not interchangeable right ? apps returns the apps in the org and the api-services lists the service integrations.
Correct, the two endpoints are not interchangeable. The /api/v1/apps endpoint will return all admin-managed applications in the org, including custom apps, while the /integrations/api/v1/api-services endpoint will only return API Service Integrations that were added from the OIN.
Its likely that because of the more elevated permissions of an API Service Integration (which can be used to make API calls into Okta to read and manage various resources), that only Super Admins (who also have permission to read and manage those same resources) are able to manage or read details about that application, which would include its credentials.
