4x1v3 (4x1v3) asked a question.
How to Deny Authentication for Users Not in the Group
Hi,
I'm trying to create a custom app that authenticates users based on their assigned user group. The problem I'm facing is that users who are not in the group can still authenticate. I have set up authentication policies that should deny access to users not in the group, but users are not in the group can still authenticate.
Here’s how I’m testing it:
- Get an access token: /oauth2/v1/token (using the app's payload and secrets)
- Authenticate API: /api/v1/authn (to get the session token)
- Session API: /api/v1/sessions (using the access token) <-- I expect users not in the group to be denied access here.
I'm not sure if my testing method is correct. I feel like I'm missing something. Can you please help?
Additional information:
- Application type: Service
- Grant type: Client Credential
Thanks!
Tested 2 user here. 1 is in the group, the other 1 is not, both are success
Image is not available
Image is not available
Image is not available
Hi @4x1v3 (4x1v3) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
If I'm not mistaking, API service apps do not have an assignment tab. This means they cannot be assigned to specific users/groups in the traditional way. Looking at the screenshots you provided, I assume you went via the Group > grupName > Assign Applications route, but this does not mean that the Authentication policies would apply for this type of app.
That being said, I definitely recommend discussing this with my colleagues on the developer side.
Regards.
--
Join the discussion for the Ask Me Anything online event on May 23, 2024 with Okta Tactical Edge Product Experts