I am successfully authenticating with OpenID, then making an API call to /api/v1/users/me
to get the user’s profile.
Then I try to make a second API call, this time to /api/users/{userId}/groups
to get the user’s groups. That returns a 403 (Forbidden).
The scopes I attached to the auth code url and subsequent access token are:
- openid
- email
- profile
- okta.users.read.self
- okta.groups.read
In summary:
Getting the user data and profile works just fine:
$response = $http_client->request(
'GET',
'api/v1/users/me',
[
'headers' => [
'Accept' => 'application/json',
'Authorization' => sprintf('Bearer %s', $access_token),
]
]
);
But this returns a 403:
$response = $http_client->request(
'GET',
sprintf('api/v1/users/%s/groups', $user->getId()),
[
'headers' => [
'Accept' => 'application/json',
'Authorization' => sprintf('Bearer %s', $access_token),
]
]
);
What am I missing?