kph1g (kph1g) asked a question.
Restrict OAuth Client Credentials Flow (headless/server-to-serv) to only add/remove specific user to specific group
A user has requested API access to okta for a proof-of-concept application.
They have a test user, a test group, and a test OAuth application in Okta.
How do I restrict their OAuth application (in Okta) to only access the test user, the test group, and the "groups" api resource? (https://developer.okta.com/docs/api/resources/groups/*add-user-to-group). I've read a lot of documentation and it's unclear which features to use in which order.
Hi Eric,
The resource server should be validating the access token passed to it from the application. Please refer to https://developer.okta.com/authentication-guide/tokens/validating-access-tokens/#decode-the-access-token where it mentions 'cid' claim which is the client id of the application at okta. Resource server can also check for the other claims in the token. But since Client Credentials flow is a machine-machine authentication, it is not tied to a user and hence user claims may not be present in the token in this case.
If you have further questions, please feel free to raise a case with Okta Support.
Thanks,
Padma