p32dx (p32dx) asked a question.
We have an internal service application, and we want to programmatically verify if our engineers are part of a certain Okta group before we let our engineers perform certain actions through our application.
If we want to use Okta API internally, then any of our internal engineers has the potential to misuse the Okta Client because they can essentially clone the repo, and run a query internally through the codebase for any user and be able to view that user's sensitive info.
Is there anyway we can restrict the okta client from returning sensitive info (password, address, etc) from a user object, or are there any permissions that will restrict info for any Okta account so that we can only view the bare minimum of the user, such as Name, Email, and what Groups they are a member of and exclude sensitive info?
Hello @p32dx (p32dx)
Thank you for posting.
Please check the following links with related information:
https://developer.okta.com/blog/2019/09/04/securing-rest-apis
https://developer.okta.com/books/api-security/api-keys/keep-keys-private/
Also, feel free to post this question on our Okta Developer Forums:
https://devforum.okta.com, and they should be able to help you with this.
Regards,
Natalia
Okta Inc.