Making an API call in java behind the scenes

Hi,

I have a Java app, and I need to integrate OKTA.

I need to login to the app with an okta account, and get the user’s group list from OKTA.

I got the login part working (authorization code flow).

When the groups are included in the token (“claims”) – I’m good.

But I need help with the groups fetching in an API call – because I need to support “no groups claims” scenario.

I can’t use Spring, so I’m coding against the protocol, on server side.

I need to make the API call for the groups behind the scenes, silently, with an access token (can’t use an API token).

1 – is there a permission I need to add to the user to enable the API call?

2 -Do I need to request a special access token for the API call? How?

3 – When I call {okta-url}/api/v1/users/me in the browser window, I see a lot of cookies being sent, including ‘sid’ (identifies the session?). How can the server side get these cookies (or just the sid cookie) without involving the browser?

4 – Any other info on this is welcome

Thanks in advance

You could try using OAuth for Okta API but it only works with access tokens granted by the Org Authorization server. The okta.groups.read scope should allow you to retrieve the groups for that user.

The downside is that you lose the benefits of using a custom authorization server (custom claims, custom scopes, etc).

Another potential issue is that you can not validate an access token minted by the Org authorization server locally such as using a JWT verifier.
https://support.okta.com/help/s/article/Signature-Validation-Failed-on-Access-Token

3 Likes

okta.users.read scope would be the scope for getting the groups of the current logged in user (/api/v1/users/me/groups)