I’m currently facing an issue with the Oktakit gem when trying to add or remove a user from a group using the add_user_to_group and remove_user_from_group methods. Here’s the implementation for add_user_to_group:
usage:
def enroll_user_to_mfa(user_id)
mfa_opt_in_group_id = ENV.fetch('MFA_OPT_IN_GROUP_ID', '')
@okta_client.add_user_to_group(mfa_opt_in_group_id, user_id)
end
def unenroll_user_from_mfa(user_id)
mfa_opt_in_group_id = ENV.fetch('MFA_OPT_IN_GROUP_ID', '')
@okta_client.remove_user_from_group(mfa_opt_in_group_id, user_id)
end
I also tried the @okta_client.put("/groups/#{mfa_opt_in_group_id}/users/#{user_id}") approach
docs :
Whenever I call these methods, I get an “Invalid session error”. I’m passing in the correct group and user IDs.
What’s strange is that other methods, such as okta_client.get("/users/#{user_id}/groups"), work as expected, so it doesn’t seem to be a general authentication issue.
Has anyone encountered this issue before? Do you have any ideas on what could be going wrong or suggestions for further debugging?
Looks like this is a third party Ruby library that interacts with Okta’s APIs. The error you are seeing indicates a permissions failure.
From what I see in the docs for this library, it seems to take an API key to authorize the calls. What admin permissions are associated with the token with which you initialized the client?
To clarify, the user in this case doesn’t have any admin permissions. Is there a way to implement this approach where we allow the user to add themselves to a group or remove themselves, without needing admin privileges? Any guidance or alternative solutions would be greatly appreciated.
As Groups are used in Okta to determine what policies the user will need to fulfill to access resources and what applications they are assigned to and similar security controls, I can’t imagine there being any way for an end-user without Admin permissions to manage their group membership, at least directly.
Maybe you can set up your own interface that will take the requests from users to change their group membership and then, within your implementation, determine whether or not this change should/can be made and, if allowed, complete the API request on their behalf.