In addition to API Tokens, Okta supports requesting and using an Access Token to authorize requests to our management API endpoints.
When using an API Service application for this, the response code 200 HTTP might be encountered, with an empty response body returned from Okta, even if the token is valid and was granted the necessary scope.
- API Services app (OIDC)
- API requests
Even if the token was granted the scope needed for a given endpoint, the API Service applications must be granted Admin roles to receive the permissions required to make the request.
Ensure that the API Service app has been granted sufficient Admin permissions to make the requests needed for the integration.
For example, if the integration is making GET requests to /api/v1/users, grant this application the okta.users.read scope AND assign it an admin role that has permission to read users.
- NOTE: Just like with an API token generated by an admin user, if the application is only granted a Groups admin role, it will only be able to make GET requests for members of its managed groups.
Related References
- More details about silent downscoping are available in How to set up and use an OAuth for Okta Service app.
