I am trying to access an /users endpoint with bearer token.
To create an access token i am using client credential flow which is mentioned in the below document. Implement authorization by grant type | Okta Developer
Access token gets created successfully using below request
An admin user can get a token that will work against that endpoint (using a Web/SPA/Native app), because end-users do not have sufficient permissions to list users, per admin permissions table.
An admin user can get a token that will work against that endpoint
Are you talking about manually creating an API token in the web console?
I’m authenticating by the oauth2 API with the super admin account and receive an error.
No, I mean if an Admin logs into an OAuth2 application and gets an admin token with the appropriate okta.* scopes they should be able to make the same API calls they can make if there were to have generated an API token instead.
What endpoint are you using, what error are you seeing, and how are you sending the access token to Okta (are you passing it along as a Bearer token?)
I have a Web application with both Implicit/Code/Client_Credentials flow enabled as well as with granted okta.users.read Okta API permissions.
I tried implicit and code authentication flow and used this endpoint https://mydomain.okta.com/oauth2/default/v1/authorize https://mydomain.okta.com/oauth2/default/v1/token
and logged in with super admin account. As well as client_credentials with the same endpoint.
With this endpoint I can get only openid/email/profile permissions.
For the rest of the API permissions I get an error: One or more scopes are not configured for the authorization server resource
When I login to the endpoint: https://mydomain.okta.com/oauth2/v1/token with client_credentials authentication flow I get this error: Only clients with 'application_type' of 'service' may use the client_credentials 'grant_type' with the Org Authorization Server
Admin logs into an OAuth2 application and gets an admin token
I’m talking about client_credentials flow. There we log in with client_id/client_secret or client_assertion. We don’t use any “admin” credentials.
As I said, you cannot use a Web app with client_credentials flow to get the okta.* API scopes. You can only use an API Services type application. You will need to make a second app as an API Services app per our documentation to get Access tokens to use against Okta APIs with this grant type
This is a real problem. We want to use 1 integration for both user login (implicit/code) and API access (client_credentials). Otherwise in the OAN web store we will also have to publish 2 applications?
client_credentials flow is not supported in the OAN at this time either. You may want to file Feature Requests on our Okta Ideas site for these implementation gaps