<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z00009qJyJRCA0Okta Identity EngineWorkflowsAnswered2023-11-15T23:06:39.000Z2023-11-15T15:19:27.000Z2023-11-15T23:06:39.000Z

PhilipS.55984 (Customer) asked a question.

Best practices before and after reauthorization of okta in okta workflows

Hello there everyone,

 

I wanted to use the function in okta workflows 'Search System logs'. For that I needed to grant the okta.logs.read scope.

Now as far as I know, having granted the needed okta api scope, I have to reauthorize the Okta application in the Workflows > Connections.

I then received the warning that this will affect my already existing workflows which makes sense.

What steps do I need to take before or after reauthorizing so that my already existing Workflows still work. Does it even matter having only added an okta api scope but not removed one?

 

Cheers,

Phil


  • TimL.58332 (Workflows)

    @PhilipS.55984 (Customer)​  -- Performing a Re-Auth in the scenario you are describing is not going to cause any sort of "Connection issues". The warning is just there to consider that making changes could impact other flows (assuming you are taking away scopes). Adding additional scopes is just granting more privilege than previously available.

     

    So with Okta in general when you have OIDC apps (Such as Okta Workflows Oauth) the "Scopes" tab on the app is setting which scopes CAN be granted. The client making the request to setup the Oauth connection (Workflows - Okta connection) has a subset of scopes it will request (which is not all possible scopes).

     

    The list can be found here:

     

    https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/okta/overviews/guidanceforoktaconnector.htm

     

    One last note: Performing a Reauthorization doesn't always immediately give you a new Access Token with the newly configured scopes. You may have to wait up-to about an hour for access token in use to expire and the Refresh_token to request a new access token with the updated grants.

     

    If you want to test immediately I always recommend just making a new Okta connection after changing scopes. This will always immediately reflect your current settings.

    Expand Post
    Selected as Best
  • PhilipS.55984 (Customer)

    Disclaimer:

    If there is documentation of it and I just could not find it. Please share it with me. I will gladly look into it myself if there is documentation. I am happy for any kind of help.

     

  • TimL.58332 (Workflows)

    @PhilipS.55984 (Customer)​  -- Performing a Re-Auth in the scenario you are describing is not going to cause any sort of "Connection issues". The warning is just there to consider that making changes could impact other flows (assuming you are taking away scopes). Adding additional scopes is just granting more privilege than previously available.

     

    So with Okta in general when you have OIDC apps (Such as Okta Workflows Oauth) the "Scopes" tab on the app is setting which scopes CAN be granted. The client making the request to setup the Oauth connection (Workflows - Okta connection) has a subset of scopes it will request (which is not all possible scopes).

     

    The list can be found here:

     

    https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/okta/overviews/guidanceforoktaconnector.htm

     

    One last note: Performing a Reauthorization doesn't always immediately give you a new Access Token with the newly configured scopes. You may have to wait up-to about an hour for access token in use to expire and the Refresh_token to request a new access token with the updated grants.

     

    If you want to test immediately I always recommend just making a new Okta connection after changing scopes. This will always immediately reflect your current settings.

    Expand Post
    Selected as Best
This question is closed.
Loading
Best practices before and after reauthorization of okta in okta workflows