403 on GET /users on other users

Using OAuth2 to access Okta API. I have the okta.users.read grant only. In our dev preview, I’m able to GET/users no problem. I’m authorized and pulling back users and applinks.

In our stage preview, I’m setup the same as in dev. I’m able to authorize and I can call GET /users, but only if I try to retrieve my details, no one else’s. I receive a 403 if I try to retrieve another persons details with GET /users.

The difference between these two previews, is that I have super admin on dev, but have no admin access on stage. I fear that in stage I have the scope to okta.users.read API, but not permissions on the data, except my data.

Some more detail, we’re connecting Salesforce to these Okta APIs, using a Named Principal (system to system) using OIDC Auth Provider. This pattern requires a single authorization to implement, usually an admin.

Has anyone run into this before?

Thanks in advance!

you have to have admin permissions in your org, to be able to run GET /users for anybody else but you

2 Likes

Philip, Thank you for confirming!