The Okta Identity Governance APIs can now be used within Okta Workflows. The governance scopes will need to be granted to be used within the Okta Connection using a Custom API Action.
If the scopes are not granted, a 403 Forbidden error can occur when trying to reach an OIG API endpoint. The www-authenticate response header included in the error message indicates that the access token does not contain the required scopes, in this example, the okta.governance.accessRequests.read scope:www-authenticate: Bearer authorization_uri="http://{subdomain}.okta.com/oauth2/v1/authorize""", realm="http://{subdomain}.okta.com", scope="okta.governance.accessRequests.read", error="insufficient_scope", error_description="The access token provided does not contain the required scopes.", resource="/governance/api/v1/requests/{requestId}"
- Okta Identity Governance (OIG)
- Okta Workflows
- Access Requests
- Access Certifications
To add Governance Scopes to the Okta Connector, please follow the steps below:
- Navigate to the Admin Console as a Super Admin.
- Navigate to Applications > Applications and open the Okta Workflows OAuth application.
- Under the Scopes tab, look for the scopes needed for the API Endpoints that are going to be reached, and click Grant:
- A collection of OIG API scopes can be seen in the
OAuth 2.0 Scopes article.
- A collection of OIG API scopes can be seen in the
- Reauthorize the Okta Connection in Okta Workflows (NOTE: A new connection may be needed).
- When reauthorizing, go to the Permissions tab in the pop-up and either verify desired scopes are selected under Customize scopes or re-select Use default scopes as mentioned in the Okta Workflows Connection - Insufficient Scope article.
- Okta Connector Authorization.
- How to Authorize an Okta Connection in Okta Workflows.
- The Okta Identity Governance APIs can now be utilized through an Okta Custom API Action.
