I have a Native app setup in my developer org that has the “okta.users.manage” scope enabled. This app has the “Resource Owner Password” grant and I am able to obtain a bearer token as well as query for the user account I want to reset the password for. The problem is when I attempt to reset the password with /api/v1/users/ I am getting E0000006, You do not have permission to perform the requested action.
Based on the research I’ve done, I need to add the application to a role that has permissions to reset passwords, but it doesn’t appear I’m able to do that with a Native app.
I am currently building a Cyberark password management plugin that can manage passwords for Okta-mastered accounts, so I would prefer to have as few steps as possible, at least when obtaining the bearer token. And no, Cyberark’s REST API Framework does not support SSWS tokens.
The user that is issued the token (in this case, I assume thats your end user) would need permission to manage their own password. This isn’t possible when relying on the okta.users.manage scope and the /api/v1/users endpoint, which only an Admin user will be able to use.
Instead, you can use the MyAccount endpoint and its password management scope, okta.myAccount.password.manage, and endpoint, /idp/myaccount/password. These MyAccount endpoints are specifically designed for end users to manage their own password/email/etc.
The user that is issued the token is an Okta admin in my org. After the bearer token (with the “okta.users.manage” scope) is issued to the Okta Admin, the next step is to query Okta for the username of the account whose password will be reset (this can be any user in the org). The final step is to reset the password using the /api/v1/users/ endpoint.
To summarize, only the Okta admin will be issued the token each time there is a request to reset the password for any account in the org.
What role is assigned to the admin that was issued the bearer token? If the access token you’re using is issued to a user, only the admin role for that user should matter when determining if they have permissions to update the user’s password.