I have a backend service which needs to fetch logs from Okta system/logs api.
To be able to do that I have implemented OAuth with Okta with a Service app by following this document Implement OAuth for Okta with a service app | Okta Developer.
I am am getting an access token using Client Credentials grant flow with the OAuth service app.
The problem which I am facing is I am getting a 403 if I don’t assign “Report Administrator” to the service app.
Is it mandatory to assign the admin role to call system logs api using this approach ? Is there any alternative where I don’t have to assign any role. ?
Yes, this is required with the roll out of the feature to assign admin roles to applications, as described in our guide here:
Before Okta provided the ability to assign admin roles to service apps, the Super Administrator (SUPER_ADMIN) role was automatically assigned to all service apps. You can now fine-tune the resources that a service app can access by assigning specific standard or custom admin roles. No role is automatically assigned, so you must assign a role before you use the service app. If you have a Production org and want to turn on the Assign admin roles to public client apps feature, see Manage Early Access and Beta features (opens new window).
You should be using this functionality to down-scope the access this client application has to the least privilege needed. For example, if you want to enable the okta.users.read scope, you can use the admin roles to ensure that your service app is only able to read a certain subset of users (for example, users in a specific group).