5.client chosen as all client (apps) since it was associated under Groups.
this rule scope association with group is not working. it always returning token presented in part of the rules instead of checking valid association with groups and apps.
Just a note: I created two different approach:
individual policy and indiv rule for each application by choosing specific clients - it is working
individual policy and indiv rule for each scope or group by choosing All clients - it is not working
also, i am using trial account for trying this POC.
If you want to use a policy based on groups, then you need to use a flow that has user context.
The Client Credentials flow is intended for server-side (confidential) client applications with no end user, which normally describes machine-to-machine communication.
I have groups which is associated to applications(apps). I will define scope which can be associated to multiple groups.
If integrator pass the app id/secret and scope, they should check underlying groups in OKTA and authenticate against scope associated then issue the token .
So, i dont see an option to configure groups with list of scopes. Hope it is clear
Groups cannot be “assigned” to Service applications, as users are not involved when requesting tokens, ergo, there are not groups that are associated to a service application.
If you are using a Web app that you have enabled Client Credentials flow, similar rules apply: In the Client Credentials flow there is no user scope, so there are no applicable groups that can be pulled into a claim dynamically.
You may want to look into static allow lists if you want to store group assignment information about an app within the app profile, but you will need to update this attribute anytime new groups are “assigned” your application.
Regardless, group assignment and using it within your scopes/claims for tokens issued via Client Credentials flow is not a good match based on the above.