I had been trying to use a self scoped OAuth 2.0 token for the Factors API - okta.users.manage.self - as well as using “me” and not the userId with the goal of enrolling Google Authenticator in our custom application.
This consistently returns 403s. I have seen this same strategy work with other endpoints such as listing all application links with okta.users.read.self and replacing the ID with ‘me’.
Perhaps I am missing the actual intention behind the ‘.self’ scopes but in my mind what I am trying to achieve is not unreasonable.
We are developing a SPA and looking to enable users to enroll additional MFA (google auth, etc). I can fall back to the MyAccount authenticators API we just would prefer to use our own UI not Okta hosted.
We have the relevant tokens from the org server. We were attempting to invoke https://{yourOktaDomain}/api/v1/users/{userId}/factors - User Factors
However we do not wish to use the okta.users.manage scope if we can instead use okta.users.manage.self
I attempted to invoke https://{yourOktaDomain}/api/v1/users/me/factors using the .self scope but that returns 403s. It appears it’s not aware of my session with Okta. We are invoking this API via a node backend - if I hit https://{yourOktaDomain}/api/v1/users/me/factors via the browser it works.
I would really appreciate some advice on this issue. I also can’t use the MyAccount Management API as it does not permit enrolling TOTP like Google Auth - only Custom Authenticators.
You need admin permissions and the okta.users.manage scope to enroll using the Factors endpoint, its not something that can be invoked with an OAuth token issued to an end user