Unable to add grants with OAuth2 access token

Is it possible to add grants using the OAuth2 access token?

I’m able to call the add grant api with the api token but I would prefer to use an access token instead but I keep getting an “Invalid Session” error (E0000005)

Are you trying to modify a different or the same client application than/as the one you used to get your token?

I was modifying a different client application. I basically used the access token to create a client application and want to grant some scopes with that token as well. However, it seems like that’s not possible

Did you grant the client you are getting the access token for the right scopes to make this request AND is the user requesting the token of a sufficient admin role to modify other applications?

Yeah I mean I have client.manage, client.read, app.manage, app.read and I’m a super admin.

I’m basically using an existing application access token and creating another application with specific scopes.

In addition to my comment above, I can’t even grant on the client where I get the access token from.

I am also working on a similar flow to grant access to an app using the OAuth2 access token. Any suggestion if this is possible?

If you’re also asking about getting tokens you can use against the Okta API on behalf of a user, I recommend reading our guide about OAuth for Okta to ensure everything is set up correctly: Implement OAuth for Okta | Okta Developer

Hi Andrea, thanks for the response. I have gone through the documentation but looks like we can not grant scopes to an app using the Bearer token and we need to use an API token created by the user with a Super Admin role only.

Is this a limitation currently with grant scope endpoint
https://{okta_domain}/api/v1/apps/{client_id}/grants ?

Are you trying to modify the Okta API scopes for the same application that was granted an OAuth token? If you try to instead update a different application, does it work?

I have created an OIDC App which has access to manage apps. I have created an OAuth token for this App.
I am able to create a service app using this OAuth token. Now when I am trying to grant okta.users.read scope to this new App, i am not able to do that using the OAuthToken,

What scopes did you request for the token your service app is using? Did you request the okta.apps.manage scope? Are you able to update other aspects of the second application (such as its label) with this token?

I requested for the “okta.users.read” scope to be granted to the service app using the OAuth token.
I tried to grant “okta.apps.manage” scope as well to the service app but it also throws a 403 forbidden in response.

However, I am able to update the label of the service app(second application) using the OAuth token.

Hi, @andrea Happy New year to you. Any suggestion on above?