I logged into the org server for a user on a native app, and have attempted to use that to update the password (Password) of the user. I have the right scope granted and have checked to make sure my JWT has the right scope as well.
Whenever I try to then update the password I get an error telling me that the feature is not enabled. I am currently trying to implement this on the free integrator plan before we swap over to a paid plan. Looking through the settings I am not really sure what feature has to be enabled or if this is just not something which can be done on the free integrator plan. I have noticed that the “Replace a Password” API does work, so I am a bit confused as to why update password isn’t working too. I can’t even see the password complexity through the API since that is also a disabled feature apparently.
I have scoured the documentation for some reasoning behind the issue, but it isn’t clear to me what it is.
Can you share some more details about how you attempted to make this request? I was able to test it myself with an access token granted the okta.myAccount.password.manage scope using the following:
I tried again in curl replacing the relevant parts with my Okta domain and access token and I get the same error:
{
"errorCode": "E0000015",
"errorSummary": "You do not have permission to access the feature you are requesting",
"errorLink": "E0000015",
"errorId": "oae_kPB98MwQX6cziTUl8Jnxg",
"errorCauses": []
}
The access token contains the correct scope otherwise I’d get an error referring to the scope not being granted:
I logged into the Org authorization server for our Okta domain which uses OIDC and MFA. Once logged in I am sending a post request to change-password as you have already shown. I have double checked the header contents, but obviously that is not the issue here.
The 401 error I have provided above is returned.
I had seen this issue in the past posts when this was an early feature, but it is really strange that I am encountering it despite the feature, to my knowledge, not requiring anything to be enabled besides granting the correct scope. Is there any other info I can provide you that would help you discover the source of the issue? It seems to be pointing at some setting in Okta, and not the request, being the problem.
Can you check if you have the feature “End User Settings version 2.0” enabled in your org? If not, can you enable this feature (you should see it under Settings → Features) and retry?
Great! That fixed it. How was I supposed to know to enable this? I don’t see it mentioned anywhere.
It would be helpful to provide this in the developer documentation (MyAccount API) under the MyAccount API or in some place which would make this clear to others. I had originally looked to enable “IDP MyAccount Password API” in the features panel because of this page (Okta Help Center (Lightning)) and didn’t see it, so I assumed nothing needed to be changed there.