When requesting to authorize into an OpenID Connect/OAuth application OR to configure a custom authorization server, the following error is returned:
Okta HTTP 401 E0000015 You do not have permission to access the feature you are requesting.
- OpenID Connect/OAuth application
- /oauth/{{authorizationServerId}}/v1/authorize
- /oauth2/{{authorizationServerId}}/v1/token
- /api/v1/authorizationServers
Although this error may be returned for other endpoints, when working on an OpenID Connect/OAuth integration, the leading cause is that the Okta org being used does not have the paid API Access Management feature.
A Custom Authorization Server, like the one named Default, cannot be used in Okta orgs that do not have the API Access Management license. While the use of a Custom Authorization Server is not available, there is a built-in Authorization Server that the org can use; however, it is not customizable.
Due to not being customizable, the built-in Org Authorization Server does not allow the following:
- Configure Access Policies/Rules
- This allows adjustment of token lifetimes and enables a Token Inline Hook.
- Create custom Scopes/Claims
- Complete local Access Token Validation
Review the links provided under Related References for more information on these limitations and the options available when using the Org Authorization Server.
To use the built-in Org Authorization Server, ensure that the integration is configured to reference this server.
- The authorization request should be made to
https://<OktaDomain>/oauth2/v1/authorize- NOTE: For reference, the Authorization Endpoint for the "Default" Custom Authorization Server is
https://<OktaDomain>/oauth2/default/v1/authorize.
- NOTE: For reference, the Authorization Endpoint for the "Default" Custom Authorization Server is
- The endpoints for the Org Authorization Server can be found at its discovery endpoint:
https://<oktaDomain>/.well-known/openid-configuration.
If the built-in Org Authorization Server does not meet the needs of the use case, contact the Account Manager at Okta to discuss adding the relevant license for using Custom Authorization Servers.
