In the article User Authorization in ASP.NET Core with Okta, there is a step which involves generating an API token. This allows the Okta SDK to call back to the Okta API and retrieve the groups that the user is part of (instead of adding them all to the access token I assume).
While that works fine, I can’t seem to find anything about permissions for this token other than the following:
API tokens are generated with the permissions of the user that created the token
The only types of user permissions I can find are very broad, from Help Desk Admin to Super Admin. Ideally I want to lock the token down so that the only permission it has is “Read Roles” and “Read User”. It would also be nice to assign only certain users or groups to this API Token. The reason for this is local development - I need to be able to generate an API token with limited read access that we can check into source control. This would let developers run our app locally with their own accounts and get the developer roles required. If the token is somehow leaked, at most someone can view roles and generic user information before we generate a new token (as apposed to leaking a superuser API token).
To sum up the questions:
- Can API tokens be given more granular control over what they can read/modify other than the broad Admin Roles?
- How would you handle API tokens for local development?