11fod (11fod) さんが質問をしました。
Hello,
I'm posting here as a last resort. I recently opened a developer account so I can test out the Okta terraform provider against it. I cannot query profile mappings via API in my account, I get an error saying i'm not authorized to perform that role, even though I've enable that scope in my application. Internet searches show that this is a feature flag that needs to be enabled on accounts, and to create a case or email support. I tried to email but I got an auto reply saying I can't open cases that way. I cannot log into my developer account for my main account and this account I'm posting on also cannot submit a case.
Does support read these so they can help me? How can I create a case for support?
Thanks in advance!
@11fod (11fod) -- I am assuming you are referring to:
https://developer.okta.com/docs/guides/terraform-landing-page/main/
(https://developer.okta.com/docs/guides/terraform-enable-org-access/main/)
I have no familiarity with this myself. However, just looking at the "enable" page it sounds like you have the pre-reqs. It also reads like this is pretty new since it specifically indicates a "Developer Cell" which means it probably isn't even in preview/prod yet. You may want to reach out to sales as there may be a product acceleration team for this that can answer some of your questions (such as setup hangups)
https://www.okta.com/contact-sales/
Hey Tim,
Thanks for the reply. To be clear, I have a working terraform setup and am building in tons of resources into my Okta account. Its just this one API doesn't work.
This is a similar issue: https://support.okta.com/help/s/question/0D54z000072AklcCAC/you-do-not-have-permission-to-access-the-feature-you-are-requesting-profile-mapping?language=en_US
It appears the user needs to make a support case, but in my case my account literally cannot make support cases. I've tried the email, tried the various ways, but I get an error saying "that url is not set up on your account, please contact support". So I'm stuck.
Hello @11fod (11fod) Thank you for reacting out to our Community!
For the enablement of the required feature you will need to open a case with Support from a paid Okta account. If you do not have admin rights please ask someone else from your company to open the case on your behalf.
However if you do not have the option to open a case from a Paid account, unfortunately we will not be able to enable the required feature.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Earn Today: New Okta Community Badges Have Arrived
Ask the Experts: Okta Device Access Product Team Now Thru 3/22
@11fod (11fod) -- Understood. But I've no idea which scope/endpoint you are referring to as you have yet to indicate it.
One of things to keep in mind with Oauth (its one of those points that sometimes gets over looked) is that just because the Client App (that contains the clientid/secret) has a scope enabled doesn't mean the client establishing the Oauth request from the client app is actually attempting to request that specific scope.
Do you have a means to see your setup request?
Example below. If the "Scope" you want isn't requested even if the client you are making the request to supports the scope and has it enabled the resulting access token will not be granted the rights. So for example the one below is wanting create/delete but lets say you wanted "update or read" access. Even if the client app supports full CRUD since it was not requested the access token wont include all of the options.
https://authorization-server.com/auth?response_type=code
&client_id=29352735982374239857
&redirect_uri=https://example-app.com/callback
&scope=create+delete
&state=xcoivjuywkdkhvusuye3kch
Hey Tim, thanks again for the reply. I did mention it in the first message i posted. Its the profile mappings api/terraform resource.
I made a terraform application in Okta that has a super user admin role and the terraform provider is requesting the profileMappings.manage scope (along with a number of other scopes that it needs for other resources).
All that said, I'm fairly confident that this is an account level feature that needs to be configured and according to Paul's response, that won't work for dev accounts. I'm still waiting to get access to my org's official account to do further testing, so maybe we just leave it here for now.
Appreciate your responses!
@11fod (11fod) - It looks like the okta.profileMappings.read/manage were added back in 2021 (2021.11.3) so a little over 2 years ago. They are present in both my preview/prod orgs. Additionally, I created an OIDC webapp in my Production tenant. The scope was listed so I granted it. I then requested an Oauth code grant type with scopes for offline_access && oktaprofileMappings.manage. Using the credentials I made a GET successfully to the /api/v1/mappings endpoint and returned values.
https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ProfileMapping/#tag/ProfileMapping/operation/listProfileMappings
As I stated before I am not familiar with Terraform. However, the gist of what I am reading is you are just having issues gaining authorization to resources (specific endpoints) because you are missing a scope.
If in your Okta Admin you create a quick OIDC webapp (give it a name, then click skip on the bottom radio button, then save it) and look at the scopes tab is it showing the okta.profileMappings.read/manage as an option? If it is.. your tenant already has these scopes potentially available assuming the client app has them set to be allowed (granted). They still have to be requested however when setting up the connection.
I did what you said and I see the scopes available. Long and short of terraform is that it calls the apis of your providers behind the scenes with the configurations you define in code.
Before I even wrote the original post, I added both the read and manage scopes to the service-to-service application that I created to give terraform access to my okta account. I also added the scopes to my terraform provider (basically equivalent to Okta.Sdk configuration object in .net or equivalent).
Looks like this:
provider "okta" {
org_name = "dev-<redacted>"
base_url = "okta.com"
client_id = "<redacted>"
private_key_id = "<redacted>"
private_key = "${path.module}/rsa.pem"
scopes = [
"okta.groups.manage",
"okta.apps.manage",
"okta.users.manage",
"okta.schemas.manage",
"okta.policies.manage",
"okta.appGrants.manage",
"okta.roles.manage",
"okta.profileMappings.manage",
"okta.profileMappings.read",
]
}
So I believe I have done what you said in that I have configured them as available scopes for the application as well as requested those scopes when terraform creates the access token for me. I've also attached a screenshot of the granted scopes for my terraform application in the ui.
@11fod (11fod) -- Okay. So I am assuming you are using this.. or something like this: https://registry.terraform.io/providers/okta/okta/latest/docs
This does to me just look like an app that is requesting access then it makes API calls to do things.
So what happens if you use the same credentials in a client like Postman to generate auth. Is it allowing you access? Or even if you have to create a new OIDC web app to authenticate against using lets say authorization code grant type (make sure to assign your user to the app). Then perform authentication then directly try to perform an action against the mappings endpoint(s). Is this successful?
What I am trying to delineate here is if this is a problem on your tenant side or with the terraform app attempting to perform the actions.