Using Terraform to add scopes to app results in invalid session

I have the following in Terraform which results in successfully creating the app but I get an “Invalid Session” error when trying to grant scopes to the app. I’m accessing Okta through another application with app.manage/read scopes.

resource "okta_app_oauth" "user_management_app" {
  label                      = "User Management"
  type                       = "service"
  grant_types                = ["client_credentials"]
  token_endpoint_auth_method = "private_key_jwt"

  jwks {
    kty = "RSA"
    kid = "..."
    e   = "..."
    n   = "..."

resource "okta_app_oauth_api_scope" "user_management_app_api_scopes" {
  app_id =
  issuer = ""
  scopes = ["", "okta.users.manage"]

Here is the error:
Error: failed to create application scope consent grant: failed to grant application api scope: the API returned an error: Invalid session

I looked at this apparently identical issue but the answer doesn’t help my situation: resource "okta_app_oauth_api_scope" failed to grant application api scope: the API returned an error: Invalid session · Issue #1083 · okta/terraform-provider-okta · GitHub

Currently not all of the Okta management API endpoints support OAuth2. The Okta Terraform Provider relies on the API. The grants endpoint /api/v1/apps/<ID>/grants is one of those endpoints. For this endpoint an API Token will need to be used.

2022-07-15T17:09:34.550-0700 [DEBUG] provider.terraform-provider-example: 2022/07/15 05:09:34 [DEBUG] performing request: method=POST url=https://{ORG}
2022-07-15T17:09:34.550-0700 [INFO]  provider.terraform-provider-example: 2022/07/15 17:09:34 [DEBUG] Okta API Request Details:
---[ REQUEST ]---------------------------------------
POST /api/v1/apps/0oa1.../grants HTTP/1.1
Host: {ORG}
User-Agent: okta-sdk-golang/2.13.0 golang/go1.18.3 darwin/amd64 okta-terraform/3.30.0
Content-Length: 72
Accept: application/json
Authorization: Bearer eyJra...BUDaQ
Content-Type: application/json
Accept-Encoding: gzip

 "issuer": "https://{ORG}",
 "scopeId": ""

-----------------------------------------------------: timestamp=2022-07-15T17:09:34.550-0700
2022-07-15T17:09:34.617-0700 [INFO]  provider.terraform-provider-example: 2022/07/15 17:09:34 [DEBUG] Okta API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden

Thanks for the info Erik! Is it on the roadmap to add OAuth2 support? Also is there a list of endpoints that don’t have OAuth2 support?

I don’t know what the current roadmap is to enable support for all endpoints,
This has the current supported endpoints.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.