User list returns no users

Hi, we are requesting user information from the Okta API, as follows:

• Application integration:
  • Sign-in method: “API Services”
  • Client authentication: Public key / Private Key
  • Okta API Scopes: okta.users.read
• Tenant:
  • This is their ‘UAT environment’, https://???.oktapreview.com/
  • They have upgraded to the Identity Platform.
  • They don’t have a custom auth server. Just the ‘Org’ auth server.
• Our Oauth client:
  • auth style: client_credentials
  • token_endpoint_auth_method: private_key_jwt
  • Scopes: ["okta.users.read"]
  • Technology: go. We’re using the clientcredentials package - golang.org/x/oauth2/clientcredentials - Go Packages package.

Calls to the /users endpoints authenticate OK but I have access to no users.

• Calls to URL https://???.oktapreview.com/api/v1/users/:id and https://???.oktapreview.com/api/v1/users/:id/groups return a 403:

Status: 403 Forbidden
{"errorCode":"E0000006","errorSummary":"You do not have permission to perform the requested action","errorLink":"E0000006","errorId":"oaeRUPaKt_9Q3WpromiLHwtvw","errorCauses":[]}

• Calls to the URL https://???.oktapreview.com/api/v1/users returns 200 OK an empty list

Status: 200 OK
[]

We have used this approach successfully on other Okta tenants, where we receive a full user list (or specific data about a single user).

What do you think could be the problem here?

I guess it could be a policy setting on the client’s Okta org. Their representative could not see anything obvious which could be affecting this.

Do you have any advice, please?

Thanks

Can you ensure that your API Services app has been assigned an Admin Role that has permissions to read users?

Thanks @andrea , I didn’t know about admin roles for API Services apps. Thanks for the link, it looks like it’s a preview feature. That explains why we haven’t needed to add admin roles for other domains before.

I’m guessing that the integration would be best suited to a READ_ONLY_ADMIN role type.

I guess there’s no UI yet for configuring these? If not, then I can guide our client to set themselves up with an API key and make the POST request.

Thanks

Ah, I’ve seen the UI documentation now.

https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/work-with-admin.htm?cshid=csh-work-with-admin-assign-admin-role-to-apps#Assign_admin_roles_to_apps

It looks like we don’t have this feature on our own production org or on our developer org (but presumably our client does).

Good to know about it, thanks.

So you don’t see the “Admin Roles” tab in your own org right now? If so, you should be able to enable it yourself under Settings → Features → “Assign admin roles to public client app”

Screenshot 2023-12-06 at 1.59.24 PM1671×697 76.4 KB

Thanks, I was able to add it and and the client has also added it. We are closer now.
At least on my test harness, this app integration can now fetch users. Cheers

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.