SimonM.78301 (Customer) asked a question.
Hi. In a scenario where we want a single Authorization Server to have different Rules for different Service / Machine-to-Machine Applications (e.g. ServiceApp1 can only request Read Scope, ServiceApp2 can only request Write Scope) is there a way to create an Access Policy in an Authorization Server with a Rule that does *not* specify a Client or a Group?
In the following link:
https://developer.okta.com/docs/guides/customize-authz-server/create-rules-for-policy/*rule-use
... it is stated:
"Note: Service applications, which use the Client Credentials flow, have no user. If you use this flow, make sure that you have at least one rule that specifies the condition No user."
This is what we want, but we can't see a way configure a Rule with a "No user" condition as stated - it seems mandatory that a User or Group needs to be assigned to the Application. I'm trying to avoid a workaround where we need to create a User in Okta just to assign to the Service Application which uses Client Credentials flow.
Is this possible? Or can we create an empty "No User" Group and assign that Group to the Application (which seems like a workaround)
Just realised something - should I choose this option in the Rule:
"Any user assigned the app"
... and just never add a user to the App (since it's a Service App)?