GroupsVsScope association in Client credential workflow

sankar.balasubramani · April 12, 2021, 7:30pm

Hi,

I am trying to attempt client credential workflow to have auth token issued for application who comes with application id and secret and scope.

Create list of application App1,App2 and app3
Create groups and associate apps with these groups like below;

*App1 - Private Group

App1, App2 - Public
App1, App3 - Custom

created auth server and created custom scopes…
assign these scopes to groups under Policies in Authserver(Security->API->Auth server)

image1150×595 34.3 KB

5.client chosen as all client (apps) since it was associated under Groups.

this rule scope association with group is not working. it always returning token presented in part of the rules instead of checking valid association with groups and apps.

Just a note: I created two different approach:

individual policy and indiv rule for each application by choosing specific clients - it is working
individual policy and indiv rule for each scope or group by choosing All clients - it is not working

also, i am using trial account for trying this POC.

Please help and advice me best approach

warren · April 13, 2021, 4:15pm

Client credentials flow doesn’t have any user/group context so I don’t think your policies would apply here.

sankar.balasubramani · April 13, 2021, 4:29pm

Policy has option to chose which group and option to scope part of the rule configuration. Please add rule screen where you have these options.

…

Please let me know whether Group vs scope configuration can be done via Policy feature?

warren · April 13, 2021, 5:01pm

If you want to use a policy based on groups, then you need to use a flow that has user context.

The Client Credentials flow is intended for server-side (confidential) client applications with no end user, which normally describes machine-to-machine communication.

sankar.balasubramani · April 13, 2021, 5:14pm

okay, leaving the Policy section.

All i wanted to achieve is assign the group vs scopes. how to do that?

warren · April 13, 2021, 8:10pm

Can you elaborate on what you mean by groups vs scopes?

sankar.balasubramani · April 13, 2021, 8:24pm

In client credential workflow:

I have groups which is associated to applications(apps). I will define scope which can be associated to multiple groups.

If integrator pass the app id/secret and scope, they should check underlying groups in OKTA and authenticate against scope associated then issue the token .

So, i dont see an option to configure groups with list of scopes. Hope it is clear

sankar.balasubramani · April 15, 2021, 6:01pm

following up on this. please let me know if you need more explanation

andrea · April 15, 2021, 6:38pm

Groups cannot be “assigned” to Service applications, as users are not involved when requesting tokens, ergo, there are not groups that are associated to a service application.

If you are using a Web app that you have enabled Client Credentials flow, similar rules apply: In the Client Credentials flow there is no user scope, so there are no applicable groups that can be pulled into a claim dynamically.

You may want to look into static allow lists if you want to store group assignment information about an app within the app profile, but you will need to update this attribute anytime new groups are “assigned” your application.

Regardless, group assignment and using it within your scopes/claims for tokens issued via Client Credentials flow is not a good match based on the above.

system · February 8, 2024, 9:31pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.