The roles are not visible in the access token for grant type Client Credentials grant type

Hi Community Team,
I need you help on the below,
Here is one example: Service A is utilizing the API of Service B, which is protected with @RolesAllowed. The service A consumes the API with the grant_type client_credentials access token. However, we are encountering a 403 error as the request is being denied due to the absence of roles in the access token for grant_type client_credentials in Okta. Could you please assist me in resolving this issue? Note: The request is being authenticated but is being denied with a 403 error.

Findings:
Okta supports sending attributes (including group attributes) for tokens associated with actual users. There does not seem to be any way to associate attributes for client_credentials grant because its not associated with a user. This is a deficiency in Okta Auth server because many other Auth servers (like Keycloak etc) do support this.

is there any workaround to resolve this ?

As you saw, user context is required to return information related to users or group membership. If you are completing Client Credentials flow, there is no user in context and therefore our Groups.startsWith etc functions will not work

The best workaround I can think of would be pretty manual, which is to configure an application profile attribute to hold the list of groups associated with the application and pull that list into the token claim. Check out the steps in this guide for using a static allow list to see if it will work for you: Customize tokens returned from Okta with a static allow list | Okta Developer

1 Like

Oh, I also found an Okta Idea that seems to match your use case, Idea #166547. I would definitely recommend upvoting it there so our Product team better track interest in this feature enhancement request

1 Like

Thank you for your reply. I successfully logged into Okta using Google Sign-In and created my account through the same process. Although I have some access with my account, I am unable to reset the password since it was created directly with Gmail.

I am not able to access the thread Idea #166547 and getting an error message showing in attached screenshot.
My domain: dev-79632458.okta.com

Are you able to follow the instructions here on how to launch Okta Ideas from the Okta Help Center?