OAuth for Okta with a service app with JWT

Questions OAuth/OIDC
1

Hello there! Has anyone run into an issue where a service app setup to use jwt is unable to be granted okta.apps.read scope?

Here are the basic steps I’m following.

  1. Grant the “okta.apps.manage” scope to the service app
  2. Configure the public key in the service app
  3. Sign the payload. ie with the private key
    {
    “aud”: “https://{okta-domain}/oauth2/v1/token”,
    “iss”: “{client_id}”,
    “sub”: “{client_id}”,
    “exp”: “1715031183060”
    }
  4. Retrieve the token from https://{okta-domain}/oauth2/v1/token by configuring these headers:
    client_assertion_type = urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    client_assertion = signed payload
    scope = okta.apps.manage
  5. Successfully retrieves bearer token from step 3
  6. Make a request to https://{okta-domain}/api/v1/apps
  7. Okta returns with an error message like this:
    {
    “errorCode”: “E0000006”,
    “errorSummary”: “You do not have permission to perform the requested action”,
    “errorLink”: “E0000006”,
    “errorCauses”:
    }

Interestingly, if I try the same with okta.users.manage, it will return an empty list of users instead of a 403 error.

Any thoughts? TIA

2

What Admin Role(s) did you grant your Service app?

3

Hi Andrea,

I don’t think I actually did that. Is there a way to do that through the UI? or does it have to be through the POST /oauth2/v1/clients/${yourServiceAppId}/roles ??

4

This solved my problem

1 Like
5

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.