I have granted the okta.users.manage.self and okta.users.read.self scopes in my application and used the org auth server to mint a token. However, I am having issues updating the user’s profile with it.
I can perform a GET request to /api/v1/users/me successfully, but when I do a POST request I am given the following 403 response:
{
"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "oae07FSOK28QKyvZshjDmrSzQ",
"errorCauses": []
}
I do not have this issue if I am logged in as a user who also happens to be a super-admin for the Okta org, but when I log in as another user and try to do the same thing I am blocked.
The user’s token looks like this:
{
"ver": 1,
"jti": ...,
"iss": "https://{my-org}.okta.com",
"aud": "https://{my-org}.okta.com",
"sub": "{my-username}",
"iat": ...,
"exp": ...,
"cid": ...,
"uid": ...,
"scp": [
"okta.users.read.self",
"okta.users.manage.self"
]
}
Am I doing something wrong / missing something, or is this a bug?