User17061214995082993024 (Customer) asked a question.
Using Service Application for API authentication to Governance Management API
Is it possible to authenticate to the governance API using an Okta service application with OAuth2 where I'm signing JWTs?
When I try hitting the oauth2/v1/token endpoint with a signed JWT specifying okta.governance scopes, I get a response that custom scopes are not allowed for the request, whereas when I try with a non-governance scope I get a correct 'You are not allowed any of the requested scopes' response.
@User17061214995082993024 (Customer)
I am not exactly sure what it is you are trying to do. However, I know for certain a non-default application can be leveraged to grant access to the API's. For example I just created an OIDC webapp granted the governance scopes then leveraged OAUTH2 with the following scopes:
offline_access okta.governance.accessCertifications.manage okta.governance.accessCertifications.read okta.governance.accessRequests.manage okta.governance.accessRequests.read okta.governance.entitlements.manage okta.governance.entitlements.read
The connection was created successfully. I was then able to leverage this authn to make a GET request to https://{yourOktaDomain}/governance/api/v1/requests and return results.
Hi Tim thank you for your response - it highlighted that it looks like the scope names for some of the Governance APIs are wrongly documented. On this page https://developer.okta.com/docs/api/iga/oauth2/ it is listed as okta.governance.accessRequest.manage but, as you put in your response, the actual scope needs to be okta.governance.accessRequests.manage (With the additional S). That is why I was getting a custom scope response.