User17283728058443429135 (Customer) asked a question.
We have an app service with private/public key credentials for authentication. We initialize an
OAuthApi with the following configuration :
var privateKey = File.ReadAllText(“privatekey.json”);
var config = new Configuration
{
OktaDomain = “https:devoktainstance.okta.com”,
AuthorizationMode = AuthorizationMode.PrivateKey,
ClientId = “clientIdreplaced”,
Scopes = [“okta.apps.manage”],
PrivateKey = new JsonWebKeyConfiguration(privateKey),
};
var oAuthApi = new OAuthApi(config);
var accessToken = await oAuthApi.GetBearerTokenAsync(); // we receive what it seems to be a valid token with correct scope granted.
We get accessToken back with correct claim for scopes:
“scp”: [
“okta.apps.manage”
]
However when trying to send a request to
{{url}}/api/v1/apps/{{applicationId}}/credentials/jwks
To add a new JWKs key in order to have and facilitate key rotation we received a 403 error:
{
“errorCode”: “E0000006”,
“errorSummary”: “You do not have permission to perform the requested action”,
“errorLink”: “E0000006”,
“errorId”: “oaeiShl7lazQcCxeUc2tLIIsg”,
“errorCauses”:
}
Even though as per documentation okta.apps.manage scope is granted in the application and set on token.
Documentation link : Add Json Web Key
We are considering the 2nd possibility to do key-rotation by providing an api/url to Okta for fetching dynamically the keys but we`re not comfortable with having an public api exposing this without an extra security/auth method for it.
Also Super Administrator is set in Admin roles.
What can we do and what are we missing here ?
@User17283728058443429135 (Customer) -- Looking at this endpoints docs: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationSSOCredentialOAuth2ClientAuth/#tag/ApplicationSSOCredentialOAuth2ClientAuth/operation/addJwk
There is a note right at the top indicating the process will fail due to "kid". I dunno what the expected response back would be ... but it could definitely be a 403.
If you change the method from a POST to a GET are you successfully retrieving data with the defined scope? That would be a good test to see if the scope is providing you permissions or not.
Hi @TimL.58332 (Workflows)
The documentation there mentions "Note: This API doesn't allow you to add a key if the existing key doesn't have a kid" The request body contains a unique kid for the key. Even if it were because of a missing kid property I would expect a different error not a 403 forbidden.
This is the response from the API:
{
"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "oae2cCF5SkzQ-OhXqWG9GYqEg",
"errorCauses": []
}
Any help here would be really great.
Thanks,
Dan
Related to the GET endpoint, yes it is working as expected per granted scope.