Cannot make Okta API Rest calls using using OAuth2 token as Bearer token

Hi,

Everything is in the title, I have created another topic to split my questions for more clarity.

I have been using Okta API using API tokens for a while now, but I wanted to use the Bearer token using OAuth2 token for more security.

I have followed this tutorial Access token bearer but without success as I’m always getting a 401 Unauthorized error when I’m trying to do a GET on /api/v1/users/ with the scope okta.users.read granted.

I’m tried using the default and a custom authorization server but nothing so far. The access token is well generated as it should be.

Thank you for any help !

Make sure you are

  1. requesting your tokens from the Org Authorization Server, as noted here. You will know you’re using the right server if you are using https://oktaDomain/oauth2/v1/authorize and https://oktaDomain/oauth2/v1/token to get tokens AND you are able to get a token back by only requesting the okta.users.read scope
  2. ensure that the user you are logging in as has sufficient admin permissions to make this API call. Your user MUST be an admin to make a GET to users (with the exception of the end-user endpoint /api/v1/users/me). Details about admin permissions here.

As I’m using a custom domain for my app, the issuer is a custom Auth Server.

I’m using the access token when the user is logging into my app to make this call, so I’m not sure how to check your 1st point.

I’m worried about your 2nd point, because I’m developing a custom dashboard for a CIAM project so users won’t be admins. (But it should not interfer right now as I’m testing with my super admin account).

If you have a custom url domain configured for your Org, you can update your application (in Okta) to use the custom domain instead of the default *.okta.com domain. This is covered in the second section of this guide: Update other Okta settings | Okta Developer. You cannot use a custom Authorization Server to get these OAuth bearer tokens.

You can confirm which org is issuing the token by decoding the payload, using a tool like Okta’s token.dev site. In the claims within the token, you should see an “iss” claim. If the value for this issuer claim is ONLY your okta domain, https://oktaDomain, then you are using the Org Authorization needed. If the value you see looks like https://oktaDomain/oauth2/default OR https://oktaDomain/oauth2/{{authorizationServerId}}, then you are not using the Org Authorization Server and will need to request a new token from the appropriate server.

For the 2nd point I made, what information are you trying to fetch about the end users? Do the results from the /userinfo endpoint OR the /api/v1/users/me endpoint (which is accessible with the okta.users.read.self scope) contain the information you are looking for?

My application is already using the custom url domain nothing to worry about that. Also I’m using a custom authorization server which also is using the custom url domain, so not the default one either.

I have to use a custom authorization server because if not the session cookie when authentificated would not match the custom url (and then ask to sign in again when reaching the custom url to access okta tenant).

I’m not trying to fetch data from the end user itself, but for exemple the application list from Okta. So enabling the scope okta.apps.read.

I don’t quite understand your explanation about having to use the custom authorization server. Like I said, you cannot use those tokens against the Okta API endpoints to get access to protected resources and, additionally, you cannot access the /apps endpoint with a user that is not assigned an Administrator role.

You may want to refer to our administrator roles guide that shows which role is required to access which resource. For example, a GET to /api/v1/apps will require that the user accessing it is a Super Admin, an App Admin (if assigned the application), a Read Only Admin, a Mobile Admin, or an API Access Management Admin (only OIDC applications)

Yes I understood about the custom auth server.

But first I tried with the default auth server with my super admin account and the required scopes enabled. And the token didn’t function either.

So for a custom Dashboard development, we have to use a common API token to make GET to /api/v1/apps created with enough rights. No other solution for non-admin users.

When you say default, are you making requests to https://oktadomain/oauth2/default/v1/token? or are you making requests to https://oktadomain/oauth2/v1/token?