I am trying to call APIs and have scopes okta.apps.read, okta.roles.read, and okta.users.read. I am able to call /users endpoint successfully which probably confirms that okta.users.read scope is granted. However when I call /users/#{user_id}/factors endpoint I get a 403. This does not happen with other instances of my app – could there be a setting when the app is created within Okta that could lead to this?
Hello,
Is the OAuth Application in Okta a public app where you authenticate with a user to get an access_token, or a service app that uses the client credentials grant type?
- If it is a public application what admin permission does the user you are using to get an access_token have?
- If it is a service application, when you view the application in the Okta Admin dashboard is there a tab for Admin Roles?
- if so what roles have you assigned?
Thank You,
1 Like
Hi @erik, it is a service application. I can confirm with our customer if they see the Admin Roles tab but at least on our working test applications I don’t see it. Would it be possible for you to suggest next steps if they see/do not see the tab?
Hello,
If they don’t have the tab I would expect this to work, the default use to be to assign the role super admin
If they do have the tab and there is no role assigned, or the role does not have the proper permissions a 403 would be returned.
This feature is GA, so it should be turned on in all Orgs and I would expect the tab to be there.
Thank You,
Hi @erik,
They don’t have the tab but it’s still not working. Is there anything else that I can check?
FYI these are the steps that we ask our customers to follow. I don’t think there should be anything wrong with these because they have been working for a couple of years for other customers but sharing just in case needed for further debugging:
- In Developer Console under Applications → Applications → Create App Integration
- Select OIDC - OpenID Connect for sign-in method
- Pick Web Application as the Application type
- Grant Type: Refresh Token is checked
- Set sign-in redirect URIs to our endpoint
- Skip group assignment for now
- Save, and then in grant some okta API scopes including okta.users.read
- Assign yourself to the application under Assign > Assign to People if not already assigned
- Provide us with the Client ID and Client Secret
We use the ID and Secret provided in the last step for oauth.
Hello,
What you have described sounds like a web app using the Authorization Code flow, not a service app.
If it is a public application what admin permission does the user you are using to get an access_token have?- If it is a service application, when you view the application in the Okta Admin dashboard is there a tab for Admin Roles?
- if so what roles have you assigned?
In this case where users are assigned to the app you need to make sure those users are part of an admin role that has enough permissions for the operation you are attempting. What admin role are these users added to?
Thank You,
1 Like
Hi @erik, that helped. When asked the customer to check the admin roles they realized that the correct user was not assigned to it. That should resolve the issue. I’ll reach out here again if it doesn’t. Thanks for your help!
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.