Scope for client_credentials grant type

Questions
1

Hi,

My requirement is simple:
My application wants the list of groups that a user in Okta belongs to.

So for this, I have çreated a Service App in Okta, got the client_id and client_secret, and I am generating an access token for this app using grant_type as “client_credentials”.

The following is how my request looks like:

POST:
https://dev-584125.oktapreview.com/oauth2/default/v1/token?grant_type=client_credentials&scope=IVCustomScope&client_id=<client_id_here>&client_secret=<client_secret_here>

If you notice if we dont give a scope the call fails ( as default scope is not supported for client_credentials grant type).
So I define a custom scope under default authorization server, and I associate a claim type to this scope. Here is the screenshot of the claim that I created

57%20PM

Now if I use the above generated access token, and try hitting the following API:
https://dev-584125-admin.oktapreview.com/api/v1/users/00ujkz9360E9rtyhO0h7/groups

I receive 403 Forbidden Error. Here is the screenshot:

09%20PM
Screenshot 2019-04-22 at 3.01.09 PM.png1512×830 86.3 KB

I am sure it is related to some scope settings, which I am unable to fix. And why are the default scopes not working/supported for client_credentials grant type. Please help.

Thanks,
Ram

2

Hi @ram87reddy

When doing the POST request to /token, would it be possible to send the query parameters as POST attributes instead, as described here? This would help in mitigating any possible man-in-the-middle attacks in which the url components are captured.

Regarding the 403 issue, in order to use the access token to access the API endpoints, you require the OAuth 2.0 for Okta APIs feature. At the moment, this feature is in beta and you can enroll in the testing program by clicking here.

3

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.