Second, just for clarification, the API token does take on the permissions of the user that created it. If a SU creates an API token, then the token will have SU permissions. If an App Admin creates a token it will have SU permissions.
Thanks for the answer.
Sorry if I sounded "lost", I'm not the person who originally worked on the project and I'm trying to piece it all together. From what I can see, we are using SAML for the authentication between OKTA and our JAVA Web Application. This works fine (and does not seem to require the API Token).
Where we are using the token is for the user authentication that have to be done for specific operations from within our application (user have to confirm the operation by entering their username/pwd which needs to be validated in order for the operation to be completed).
For this, we have used the com.okta.sdk.clients.AuthApiClient java object. An ApiClientConfiguration object (that requires a base url and an api token) is sent to the AuthApiClient's constructor and user authentication is done by calling authClient.authenticate(...).
Would the AuthApiClient be able to authenticate the users without the need for the API Token?
Or, assuming this could not be changed, would there be a simple way to prevent the token to have access to other apps (with rules or policies or a very specific user created solely for this purpose and who would then create the API Token )? What would you recommend?