Using Terraform to add scopes to app results in invalid session

marshall · July 11, 2022, 5:52pm

I have the following in Terraform which results in successfully creating the app but I get an “Invalid Session” error when trying to grant scopes to the app. I’m accessing Okta through another application with app.manage/read scopes.

resource "okta_app_oauth" "user_management_app" {
  label                      = "User Management"
  type                       = "service"
  grant_types                = ["client_credentials"]
  token_endpoint_auth_method = "private_key_jwt"

  jwks {
    kty = "RSA"
    kid = "..."
    e   = "..."
    n   = "..."
  }
}

resource "okta_app_oauth_api_scope" "user_management_app_api_scopes" {
  app_id = okta_app_oauth.user_management_app.id
  issuer = "https://our-org.oktapreview.com"
  scopes = ["okta.users.read", "okta.users.manage"]
}

Here is the error:
Error: failed to create application scope consent grant: failed to grant application api scope: the API returned an error: Invalid session

I looked at this apparently identical issue but the answer doesn’t help my situation: resource "okta_app_oauth_api_scope" failed to grant application api scope: the API returned an error: Invalid session · Issue #1083 · okta/terraform-provider-okta · GitHub

erik · July 16, 2022, 10:11pm

Hello,
Currently not all of the Okta management API endpoints support OAuth2. The Okta Terraform Provider relies on the API. The grants endpoint /api/v1/apps/<ID>/grants is one of those endpoints. For this endpoint an API Token will need to be used.

2022-07-15T17:09:34.550-0700 [DEBUG] provider.terraform-provider-example: 2022/07/15 05:09:34 [DEBUG] performing request: method=POST url=https://{ORG}.okta.com/api/v1/apps/0oa1.../grants
2022-07-15T17:09:34.550-0700 [INFO]  provider.terraform-provider-example: 2022/07/15 17:09:34 [DEBUG] Okta API Request Details:
---[ REQUEST ]---------------------------------------
POST /api/v1/apps/0oa1.../grants HTTP/1.1
Host: {ORG}.okta.com
User-Agent: okta-sdk-golang/2.13.0 golang/go1.18.3 darwin/amd64 okta-terraform/3.30.0
Content-Length: 72
Accept: application/json
Authorization: Bearer eyJra...BUDaQ
Content-Type: application/json
Accept-Encoding: gzip

{
 "issuer": "https://{ORG}.okta.com",
 "scopeId": "okta.users.read"
}

-----------------------------------------------------: timestamp=2022-07-15T17:09:34.550-0700
2022-07-15T17:09:34.617-0700 [INFO]  provider.terraform-provider-example: 2022/07/15 17:09:34 [DEBUG] Okta API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden

marshall · July 18, 2022, 4:14pm

Thanks for the info Erik! Is it on the roadmap to add OAuth2 support? Also is there a list of endpoints that don’t have OAuth2 support?

erik · July 18, 2022, 10:08pm

I don’t know what the current roadmap is to enable support for all endpoints,
This has the current supported endpoints.

system · July 20, 2022, 3:39pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.