Cannot get a user's groups after authenticating with OpenID

amacrobert · June 10, 2022, 2:28am

I am successfully authenticating with OpenID, then making an API call to /api/v1/users/me to get the user’s profile.

Then I try to make a second API call, this time to /api/users/{userId}/groups to get the user’s groups. That returns a 403 (Forbidden).

The scopes I attached to the auth code url and subsequent access token are:

        - openid
        - email
        - profile
        - okta.users.read.self
        - okta.groups.read

In summary:

Getting the user data and profile works just fine:

        $response = $http_client->request(
            'GET',
            'api/v1/users/me',
            [
                'headers' => [
                    'Accept' => 'application/json',
                    'Authorization' => sprintf('Bearer %s', $access_token),
                ]
            ]
        );

But this returns a 403:

        $response = $http_client->request(
            'GET',
            sprintf('api/v1/users/%s/groups', $user->getId()),
            [
                'headers' => [
                    'Accept' => 'application/json',
                    'Authorization' => sprintf('Bearer %s', $access_token),
                ]
            ]
        );

What am I missing?

erik · June 10, 2022, 6:11am

Hello,
The scope you will need for /api/v1/users/<id>/groups is okta.users.read.
Also it is not enough for the application to just grant this scope, the user will also need to be part of an Okta Administrator group that has enough permissions to view groups for a user.

With OAuth for Okta, users that are granted tokens with Okta scopes also need to be part of appropriate administrator groups that have enough permissions to cover the scopes, or else a 403 will be returned.
/api/v1/users/me is a special case where the user does not need to be part of any administrator group.

amacrobert · June 10, 2022, 12:59pm

Thanks, that makes sense.

So it looks like the best solution is to make an API token that has access to groups, and use that to query for the user’s groups after they authenticate. Does that sound right?

abole · June 12, 2022, 11:56am

Another idea is to add groups as a claim(s) to the token, if you don’t have too many.