Hi there, I apologize in advance if this is a common topic but I couldn’t find anything matching my exact use case.
I’m wondering if it’s possible to direct external users on our web application to the Okta login widget, and then store their fetched auth token/refresh token to run cron jobs and create reports with the data our scopes allow us to pull.
We essentially want to allow the external user to provide us with an auth token which we then use to call the log API to fetch their entire organization SSO logs (not just for a single application). I’ve done this on several other providers, but having a bit of trouble on the Okta one.
Typically for any Okta Org your application would have an integration with that Org would configure an OIDC application for your App and your App would redirect users to it for authentication. Your app would then acquire tokens.
Tokens can be scoped with Okta API scopes which allow various management operations, but the user associated with this token needs to also be part of a Admin Role which provides the permissions for the operations the scope allows. See,
It is also possible to do the same with a service application that does not require a user to be associated with the token,
This also requires you to setup an integration with the customer Org(s) which means they need to create the application and allow your app access.
Ah ok, thank you for the info. I was hoping that wouldn’t be the case.
So it’s not possible to get delegated tokens for apis with just having them log in with their credentials? I’d like to make it less work for other users if possible.