I have the following in Terraform which results in successfully creating the app but I get an “Invalid Session” error when trying to grant scopes to the app. I’m accessing Okta through another application with app.manage/read scopes.
resource "okta_app_oauth" "user_management_app" {
label = "User Management"
type = "service"
grant_types = ["client_credentials"]
token_endpoint_auth_method = "private_key_jwt"
jwks {
kty = "RSA"
kid = "..."
e = "..."
n = "..."
}
}
resource "okta_app_oauth_api_scope" "user_management_app_api_scopes" {
app_id = okta_app_oauth.user_management_app.id
issuer = "https://our-org.oktapreview.com"
scopes = ["okta.users.read", "okta.users.manage"]
}
Here is the error:
Error: failed to create application scope consent grant: failed to grant application api scope: the API returned an error: Invalid session
I looked at this apparently identical issue but the answer doesn’t help my situation: resource "okta_app_oauth_api_scope" failed to grant application api scope: the API returned an error: Invalid session · Issue #1083 · okta/terraform-provider-okta · GitHub
erik
July 16, 2022, 10:11pm
2
Hello,
Currently not all of the Okta management API endpoints support OAuth2. The Okta Terraform Provider relies on the API. The grants endpoint /api/v1/apps/<ID>/grants
is one of those endpoints. For this endpoint an API Token will need to be used.
2022-07-15T17:09:34.550-0700 [DEBUG] provider.terraform-provider-example: 2022/07/15 05:09:34 [DEBUG] performing request: method=POST url=https://{ORG}.okta.com/api/v1/apps/0oa1.../grants
2022-07-15T17:09:34.550-0700 [INFO] provider.terraform-provider-example: 2022/07/15 17:09:34 [DEBUG] Okta API Request Details:
---[ REQUEST ]---------------------------------------
POST /api/v1/apps/0oa1.../grants HTTP/1.1
Host: {ORG}.okta.com
User-Agent: okta-sdk-golang/2.13.0 golang/go1.18.3 darwin/amd64 okta-terraform/3.30.0
Content-Length: 72
Accept: application/json
Authorization: Bearer eyJra...BUDaQ
Content-Type: application/json
Accept-Encoding: gzip
{
"issuer": "https://{ORG}.okta.com",
"scopeId": "okta.users.read"
}
-----------------------------------------------------: timestamp=2022-07-15T17:09:34.550-0700
2022-07-15T17:09:34.617-0700 [INFO] provider.terraform-provider-example: 2022/07/15 17:09:34 [DEBUG] Okta API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden
Thanks for the info Erik! Is it on the roadmap to add OAuth2 support? Also is there a list of endpoints that don’t have OAuth2 support?
erik
July 18, 2022, 10:08pm
4
I don’t know what the current roadmap is to enable support for all endpoints,
This has the current supported endpoints.
system
Closed
July 20, 2022, 3:39pm
5
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.