In our logs, we’re noticing that some of our customers Okta API Tokens seem to have stopped working on/around May 24-25. As far as we know, the tokens were not revoked or expired. Has anyone else reported/experienced things going wrong with API Tokens around GET /users specifically?
Are you able to see any messages in the system.log for your Okta Org about revocation?
API Tokens will automatically be revoked if they are not used for 30 days. Each time the token is used the 30 day counter resets.
No, the token hasn’t been revoked. The customer in question can use the API Token to send GET requests to /users and /groups, which is what we need the API Token to do (via our use of the Oka Java SDK to do so).
However, I think we’ve isolated the issue to permissions associated with the Okta token. When a token is generated with, say, “Read-Only Administrator” permissions, then everything works fine on our end. When a token is generated with only Users and Groups read permissions, however, we’re running into timeouts from Okta when we send requests to the /users and /groups endpoints via the Okta Java SDK.
Is this a known limitation on Okta’s end? Anything we can do here to alleviate the problem for customers who don’t want to give Read-Only Administrator permissions, but would like to only give the minimum required permissions to our application (read users and read groups)?
If there is a permission issue then an error should be returned from an API call.
There wouldn’t be a timeout (or shouldn’t)
Can you supply your Org details and the date/time of a /users call so support can check the backend logs.
So, it doesn’t seem to be as straightforward as “We’re asking for a resource that this API Token doesn’t give us permission to access.” After all, the customer (who generated the Okta API Token) can use it manually to GET /users and GET /groups just fine.
I’m wondering if this “Known Limitation” briefly described in the Okta Users API docs has anything to do with what’s going on? Users | Okta Developer