A 403 Forbidden error occurs when executing an Okta connector Action card, including the Custom API Action card, in workflows. The www-authenticate response header included in the error message indicates that the access token does not contain the required scopes to execute the action card, for example:

www-authenticate: Bearer authorization_uri="http://{subdomain}.okta.com/oauth2/v1/authorize", realm="http://subdomain}.okta.com", scope="okta.logs.read", error="insufficient_scope", error_description="The access token provided does not contain the required scopes.", resource="/api/v1/logs"

In this example, the access token does not contain the okta.logs.read scope needed to execute the Search System Logs card.  The missing scope(s) may be different depending on which Okta action card is being used.

• Okta connector
• Okta Devices connector
• Okta Realms connector
• Okta connector action cards
• Workflows

This error will occur if the scope(s) required by the action card were not granted when the connection was authorized in Workflows.

Review the www-authenticate header in the error message to identify the missing required scope(s).  To resolve the issue, the required scopes must be granted when authorizing the Okta connection.  There are two potential options for granting the scopes:

1. Grant Scopes on Okta Workflows OAuth app
2. Use Custom Scopes

Grant Scopes on Okta Workflows OAuth app

1. In the Okta Admin console, navigate to Applications > Applications and locate the Okta Workflows OAuth app.
2. On the Okta API Scopes tab of the app, grant the required scope(s) by clicking the Grant button next to the scope.  If the scope that is needed is not listed, option two below, Use Custom Scopes, must be used.
3. Navigate to the Okta Workflows console and reauthorize the Okta connection being used by the card that is throwing the 403 error:
   1. Navigate to the Connections tab.
   2. Locate the appropriate Okta connection and click the reauthorize icon ( ).
   3. Enter the Domain name.
   4. Enter the Client ID and Client Secret (these values are available on the Sign On tab of the Okta Workflows OAuth app).
   5. Click on the Permissions tab and select Use default scopes. The scopes that have been granted on the Okta API Scopes tab will be listed and selected by default.
   6. Click the Reauthorize button to reauthorize the connection.

Use Custom Scopes

Navigate to the Okta Workflows console and reauthorize the Okta connection being used by the card that is throwing the 403 error:

1. Navigate to the Connections tab.
2. Locate the appropriate Okta connection and click the reauthorize icon ( ).
3. Enter the Domain name.
4. Enter the Client ID and Client Secret (these values are available on the Sign On tab of the Okta Workflows OAuth app).
5. Click on the Permissions tab and select Customize scopes (advanced). The scopes that have been granted on the Okta API Scopes tab will be listed by default, as well as any scopes that have been manually added.  If the missing scope is included in the list, make sure it is selected.
6. If the missing scope is not listed, as it was not available on the Okta API Scopes tab of the Okta Workflows OAuth app, it must be added manually in the Manually add scopes section at the bottom of the page.
7. Click the Reauthorize button to reauthorize the connection.

For a visual of option one (Grant Scopes on Okta Workflows OAuth app), see the following video walkthrough:

Related References

• ​Okta Connector Authorization
• Okta Devices Connector Authorization
• Okta Realms Connector Authorization
• Guidance for Okta connector
• Okta Workflows Connection - Insufficient Scope
• How to Fix the 403 Forbidden Error When Using the Search Systems Logs Card