GroupsVsScope association in Client credential workflow


I am trying to attempt client credential workflow to have auth token issued for application who comes with application id and secret and scope.

  1. Create list of application App1,App2 and app3
  2. Create groups and associate apps with these groups like below;

*App1 - Private Group

  • App1, App2 - Public

  • App1, App3 - Custom

  1. created auth server and created custom scopes…

  2. assign these scopes to groups under Policies in Authserver(Security->API->Auth server)

5.client chosen as all client (apps) since it was associated under Groups.

  1. this rule scope association with group is not working. it always returning token presented in part of the rules instead of checking valid association with groups and apps.

Just a note: I created two different approach:

  1. individual policy and indiv rule for each application by choosing specific clients - it is working
  2. individual policy and indiv rule for each scope or group by choosing All clients - it is not working

also, i am using trial account for trying this POC.

Please help and advice me best approach

Client credentials flow doesn’t have any user/group context so I don’t think your policies would apply here.

Policy has option to chose which group and option to scope part of the rule configuration. Please add rule screen where you have these options.

Please let me know whether Group vs scope configuration can be done via Policy feature?

If you want to use a policy based on groups, then you need to use a flow that has user context.

The Client Credentials flow is intended for server-side (confidential) client applications with no end user, which normally describes machine-to-machine communication.

1 Like

okay, leaving the Policy section.

All i wanted to achieve is assign the group vs scopes. how to do that?

Can you elaborate on what you mean by groups vs scopes?

In client credential workflow:

I have groups which is associated to applications(apps). I will define scope which can be associated to multiple groups.

If integrator pass the app id/secret and scope, they should check underlying groups in OKTA and authenticate against scope associated then issue the token .

So, i dont see an option to configure groups with list of scopes. Hope it is clear

following up on this. please let me know if you need more explanation

Groups cannot be “assigned” to Service applications, as users are not involved when requesting tokens, ergo, there are not groups that are associated to a service application.

If you are using a Web app that you have enabled Client Credentials flow, similar rules apply: In the Client Credentials flow there is no user scope, so there are no applicable groups that can be pulled into a claim dynamically.

You may want to look into static allow lists if you want to store group assignment information about an app within the app profile, but you will need to update this attribute anytime new groups are “assigned” your application.

Regardless, group assignment and using it within your scopes/claims for tokens issued via Client Credentials flow is not a good match based on the above.