ScottB.07094 (American Century Investments) asked a question.
Let me preface this by saying I'm not a developer, nor am I very experienced in using APIs via Postman. I assume I'm missing something super basic, so I'm hoping this is easy to resolve.
I have a custom administrator role that I am trying to grant to an API Services application so that it can connect to Okta with the appropriate permissions. Looking at the API documentation here (https://developer.okta.com/docs/reference/api/roles/*assign-a-role-to-a-client-application) it looks like I need to write a POST to the Adminstrators API with the role ID, resource set ID, and client ID for the app. I think I have that put together correctly, but I can't seem to get past the OAuth authentication with my administrator account.
I'm pretty sure I'm just missing how to authenticate to the API server with the superadmin acccount so that I can make my POST, so I'm hoping someone can give me some guidance on the best way to do that. I appreciate any help. Thanks!
Hi @ScottB.07094 (American Century Investments) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
That being said, perhaps you are right and it is something basic that is being missed. Please provide a bit more information about what you are experiencing to see if we can perhaps assist.
How are you authorizing the API request?
Does the API call fail (any specific error?) or is it succeeding but you are having trouble with the next steps?
Regards.
--------------------------------
Ask the Experts: Now Thru 1/31 Okta FastPass Engineering and Product Teams Answer Your Questions
Hi Mihai,
Thanks for your response. I think my issue is the authentication on the request. Initially, I tried to pass an API key I generated with a superadmin account in the SSWS header, but that isn't working. I believe I have the request written correctly to assign the admin role I need, but authenticating that request with the API server seems to be my hang up.
Do I need to somehow exchange the client ID and secret for an authorization code and then use that in the authentication header?
Not when you are using an API token passed in an Authorization header.. like you mentioned: SSWS apiTokenValue.
You can easily confirm your auth is working fine by just doing some other simple request like a USERS GET request:
/api/v1/users/${userId}
example: /api/v1/users/00u4uaguy2vruS14N5d7
The API Token is taken as the context of the user creating it. It actually provides more permission than if you are doing Oauth (Which is what a client id/secret is for) as there are permissions the token provides that there are not oauth scopes for.
@ScottB.07094 (American Century Investments) -- Guides to setup Postman for with Okta can be found here:
https://developer.okta.com/code/rest/
and here:
https://support.okta.com/help/s/article/How-to-integrate-Postman-with-Okta?language=en_US
The link in your initial post appears to be for here (which are native roles)
https://developer.okta.com/docs/reference/api/roles/#assign-a-role-to-a-client-application
This Endpoint is a POST action with 2 required parameters
However, below this section there is an "Assign a custom role" section which has the parameters defined in your description: clientId, type, role, resource-set
I don't know if this is the correct action you need to take for what you are trying to accomplish. Are you following some sort of guide that has directed you to use this endpoint?
Such as: https://support.okta.com/help/s/article/how-to-create-custom-role-to-manage-specific-application?language=en_US
On a side note: Most stuff that can be done through the API's can be done directly in the Okta Admin UI. If you don't have access to the Okta Admin UI you also will not have access to the API's.
API's are often levered when you want to perform automation to some degree. Otherwise, the Admin UI is likely a better option.
Hi Tim,
Thanks for your response. Yes, I have created a custom role and I am trying to assign it to an application instead of a user or group. It's my understanding this isn't possible from the UI currently, so I have to do it via the API. This is the document that led me here: https://developer.okta.com/docs/reference/api/roles/#assign-a-custom-role-to-a-user-group-or-client-application
Interestingly, the endpoint to assign the role to a client application is under /oauth2/ instead of /api/, which I think might be why I am unable to use the API key to authenticate.
I know this might be a better fit for the Developer portal, but I'll put the info here anyway. Here's my cURL:
curl --location --request POST 'https://{instanceUrl}/oauth2/v1/clients/{clientId}/roles' \
--header 'Content-Type: application/json' \
--data-raw '{
"type": "CUSTOM",
"role": "{roleId}",
"resource-set": "{resourceSet}"
]'
It seems like my issue is authenticating to the oauth2 endpoint on the API server, but I don't know how to get this request to authenticate using OAuth2. Is it simply a matter of creating another request to generate a token and then passing that token in the auth header for the cURL above?
Hi @ScottB.07094 (American Century Investments) I ran some tests with a mock implementation and was getting "You do not have permissions to access this feature..."
so I checked my feature list (Okta Admin Dashboard/Settings/Features) and I did not have "Assign admin roles to public client app" enabled. After I enabled it, it seemed to work.
Not sure if that's what you are experiencing, but it worth a look.
Regards.
--------------------------------
Ask the Experts: Now Thru 1/31 Okta FastPass Engineering and Product Teams Answer Your Questions
Hello, I stumbled upon this question while looking for the answer myself. It took a little digging but thought I would share for those that find this also. In my case, I was trying to attach a standard admin role to a Service API app and also couldn't find a valid api under api/v1 to do this. Upon further research I was able to find that this api under the oauth2 scheme was able to achieve what I was looking for. You will need the id of your client app to make the call.
API URL: {{yourOktaOrg}}/oauth2/v1/clients/{{app_clientId}}/roles
JSON Body: (Your can fine the different types by assigning a single user the roles and the quering the roles to get the types. I used super admin for this example.
{
"type": "SUPER_ADMIN"
}
Action: POST
Result should be a 201 Created and the client app will now be assigned the standard admin role.