The purpose of this article is to provide a better understanding of how to find the correct Okta Admin role that must be assigned to an OAuth2.0 Service Application. The following error is associated with the OAuth2.0 Service Application: 

403 Forbidden -  You do not have permission to perform the requested action

• OAuth2.0 Service Application
• Okta Identity Engine (OIE)

As specified in the OAuth2.0 Service App documentation, an Admin Role must be assigned to the application. (Admin roles tab)

How to find the correct Admin Role with the lowest level of permissions: 

• Find what API operations are expected to be performed using the access token generated with the OAuth2.0 Service App.

For example: 

If the access token will be used to authorize the /users API and the /apps API to read user and application information, the admin role that should be assigned is: Read Only Admin, and the following Okta API scopes must be granted:

• •  okta.users.read
  •  okta.apps.read

• Establish the admin role that will be required, by using this document.
• Grant only the required Okta API scopes, by checking this document.

Related resources

• How to Create custom admin roles
• Receiving a 200 Response Code and an Empty Response Body when Making an API Request to Okta when Using an OAuth Access Token as Authorization