I am using okta Widget to login to application. Then, after login to application, the user can update his password. To update password, I thought of using Users Okta API - Change password. But this requires SSWS apikey to do it. It means a new Okta API token would need to be generated for my needs in Okta → Security → API token
I was advised by our Okta admins to add new application - API Services and use client and secret to do it. I tried this kind of approach through postman - to call any USER API with Basic Auth
I setup postman:
Test case - try to get user using client/secret
Authorization: Basic
Username: {{clientId}}
Password: {{clientSecret}}
Url: {{url}}/api/v1/users/{{userId}}
Result: I am getting Invalid Session error back
Is it possible to update user’s password using client/secret authorization? Or I need an Okta API token for it?
thank you for the tutorial. It is useful but it says how to authorize using default authorization server and I am trying to use custom one - if possible…
I am still not able to make it work.
I have custom authorization server and I am able to set up postman to generate access token using my custom authorization server but then when I try to use it in any okta API url - it gives me errors.
I get token through my custom authorization server:
I need to add, that my custom authorization server doesn’t have okta.users.read scope because it is not possible to add it. It throws an error when I try to add it:
This name is reserved. Must not start with ‘‘okta.’’ or ‘‘okta:’’ and must not be only ‘‘okta’’ or ‘’*‘’.
but I think if it was the reason, I would get other error message anyway - complaining about scope and not authorization server id…
Thank you for your response.
I am doing some investigation for the MyAccount api. I must admin I wasn’t aware about it so thank you for the suggestion.
My actions:
I used Okta widget to login to application. I have got the access token back for the user and then I went to the postman and tried:
GET {{devOktaPreview}}/idp/myaccount/profile
with the access token in Bearer.
I have got error back:
www-authenticate: Bearer authorization_uri=“http://devOkta.okta.com/oauth2/v1/authorize”, realm=“http://devOkta.okta.com”, scope=“okta.myAccount.profile.read”, error=“insufficient_scope”, error_description=“The access token provided does not contain the required scopes.”, resource=“/idp/myaccount/profile”
My custom authorization server has a scope okta.myAccount.profile.read but I am not sure if my application has it (I don’t have access to the scope tab on applications for now…)
When I initialize the Okta Widget I provide the scope like this:
// Search for URL Parameters to see if a user is being routed to the application to recover password
var searchParams = new URL(window.location.href).searchParams;
oktaConfig.otp = searchParams.get('otp');
oktaConfig.state = searchParams.get('state');
const oktaSignIn = new OktaSignIn(oktaConfig);
return oktaSignIn;
Do you think it is the correct approach to take? Use the okta widget access token through postman?
You will need to make sure your application allows the scope.
If you are not sure and are requesting the scope in your application you can verify if that scope is granted by either:
check your Okta Org logs
take the access_token returned and goto https://jwt.io to check scp claim and see if it is there.
I like it. It works now but I am not sure if the solution is good enough for me as I will need to allow user to:
update password
update security question
update MFA
and, as far as I can see, the MyAccount API doesn’t have methods for it. But I am happy I made it work as maybe it will be useful for some use cases in future so thank you Erik for your suggestions.
How I made it work - just for some people who will try to use it in future and see this post:
I added the scopes on okta widget config to make sure I am requesting for it in the access token:
so thank you Erik for your suggestions.