Using OAuth2 to access Okta API. I have the okta.users.read grant only. In our dev preview, I’m able to GET/users no problem. I’m authorized and pulling back users and applinks.
In our stage preview, I’m setup the same as in dev. I’m able to authorize and I can call GET /users, but only if I try to retrieve my details, no one else’s. I receive a 403 if I try to retrieve another persons details with GET /users.
The difference between these two previews, is that I have super admin on dev, but have no admin access on stage. I fear that in stage I have the scope to okta.users.read API, but not permissions on the data, except my data.
Some more detail, we’re connecting Salesforce to these Okta APIs, using a Named Principal (system to system) using OIDC Auth Provider. This pattern requires a single authorization to implement, usually an admin.
Has anyone run into this before?
Thanks in advance!