We are trying to protect a ASP.Net Core web api using Okta. The front end will only be our customers api’s, no user UI front-end.
Using the machine-to-machine account work for me but I am unable to get the groups that the Application is in? As there can be 100’s of them, we don’t want to hard code all allowed client id’s or use a customer DB. Is there a supported way to get the Application groups?
сan you clarify what you call “application groups” and what is “groups application is in”?
In the Okta UI you can add a User to a group or an Application?
So do you want to receive list of groups which user belongs to? or the list of users assigned to the application?
Neather, using the machine-to-machine(Client Credentials flow), the user == Application (not a user) & Applications can be added to groups?
I was able to code a C# unit test using Unit Testing and Implicit Flow to logon a normal user and pass the accessToken to the api. But still not sure on the api side how to tell what groups the user is in? I was able to add an access claim to the dev auth server, group1 = isMemberOfGroupName(“group1”), but this seems dump to have to add a access claim per group?
Oh, I see now, what you are saying. I don’t think you can get this information unfortunately, as Okta’s claim evaluation doesn’t have this functionality in the Expression Language. It’s available through Okta APIs though.
Thanks. I see NuGet has a Okta.SDK but that doesn’t support .Net core or are you talking something else?
I have tried to call to https://dev-534507.okta.com/api/v1/users/me/groups using the users access_token & id_token as a Bearer but the request fail with a 403 Forbidden - https://developer.okta.com/docs/reference/api/users/. If I call https://dev-534507.okta.com/api/v1/users/{id}/groups as SSWS I get a responce. Is this the correct way?
I think that last one URL you mentioned is a standard one to obtain user groups, I never tried to apply it to oidc_client honestly. You can check what is in the response, but I think it’s something different from what you expect, as your id represents an application in your m-2-m communication, not a user.
The other ones you mentioned in the beginning are just not valid url’s
I found this link - No 'groups' scope in the console for the default Authorisation Server.
This does work for a User but not the Machine-To-Machine id.