The roles are not visible in the access token for grant type Client Credentials grant type

KaushalGupta · January 27, 2024, 4:25am

Hi Community Team,
I need you help on the below,
Here is one example: Service A is utilizing the API of Service B, which is protected with @RolesAllowed. The service A consumes the API with the grant_type client_credentials access token. However, we are encountering a 403 error as the request is being denied due to the absence of roles in the access token for grant_type client_credentials in Okta. Could you please assist me in resolving this issue? Note: The request is being authenticated but is being denied with a 403 error.

Findings:
Okta supports sending attributes (including group attributes) for tokens associated with actual users. There does not seem to be any way to associate attributes for client_credentials grant because its not associated with a user. This is a deficiency in Okta Auth server because many other Auth servers (like Keycloak etc) do support this.

is there any workaround to resolve this ?

andrea · February 2, 2024, 10:25pm

As you saw, user context is required to return information related to users or group membership. If you are completing Client Credentials flow, there is no user in context and therefore our Groups.startsWith etc functions will not work

The best workaround I can think of would be pretty manual, which is to configure an application profile attribute to hold the list of groups associated with the application and pull that list into the token claim. Check out the steps in this guide for using a static allow list to see if it will work for you: Customize tokens returned from Okta with a static allow list | Okta Developer

andrea · February 2, 2024, 10:27pm

Oh, I also found an Okta Idea that seems to match your use case, Idea #166547. I would definitely recommend upvoting it there so our Product team better track interest in this feature enhancement request

KaushalGupta · February 3, 2024, 7:20am

Thank you for your reply. I successfully logged into Okta using Google Sign-In and created my account through the same process. Although I have some access with my account, I am unable to reset the password since it was created directly with Gmail.

I am not able to access the thread Idea #166547 and getting an error message showing in attached screenshot.
My domain: dev-79632458.okta.com

andrea · February 5, 2024, 4:22pm

Are you able to follow the instructions here on how to launch Okta Ideas from the Okta Help Center?

andrea · March 6, 2024, 4:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Scope for client_credentials grant type Questions	2	5251	April 22, 2019
Application allowed grant types: Client Credentials Questions	4	6784	August 14, 2019
Unauthorized client error using /token and grant_type of client_credentials OAuth/OIDC	4	4279	November 30, 2022
Client Credentials Grant Not Working OAuth/OIDC	7	2163	October 18, 2023
The client is not authorized to use the provided grant type. Configured grant types: Questions	4	13990	November 12, 2020

The roles are not visible in the access token for grant type Client Credentials grant type

Related topics