
GiridharanD.41770 (Customer) asked a question.
Hi All, Am tryin to connect to OKTA custom identity source using OKTA Workflows. Okta Workflows OAuth Auth is granted with the scopes okta.identitySources.read and okta.identitySources.manage. When trying to list the Import session am receiving
"message": "403 Forbidden", "description": "HTTP Request Error",

Hello @GiridharanD.41770 (Customer) Thank you for posting on our Community page!
Please see our troubleshooting guide below with this error and the required steps to resolve this error:
https://support.okta.com/help/s/article/403-Forbidden-error-using-an-Okta-connector-Action-card-in-a-Workflow?language=en_US
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Join the discussion for Ask Me Anything on February 4, 2025: Advancements in Okta’s On-Prem Directory Integrations
I too get a 403 when trying to run the Workflow card "Okta - List Import Sessions" against the "Okta Workflows OAuth" app. However my app instance does not have a scope "okta.identitySources.read" so there must be a feature flag in your tenant turned on that I don't.
I did find a doc that states that "okta.identitySources.read" and "okta.apps.read" scopes are needed for "List Import Sessions" action card and I see you did not mention "okta.apps.read" so you might check to make sure it is enabled. https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/okta/overviews/scopes.htm#ActionScopes
That being said, I also wonder if perhaps you should be supplying the action card with the app id for your Anything-as-a-Source (XaaS) rather than at the "Okta Workflows OAuth" app. The following are more docs related to this that might help you figure out what app to use for your use case.
https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/okta/actions/listimportsession.htm
https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/usgp-anything-as-a-source.htm?cshid=ext-anything-as-a-source
https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/usgp-use-anything-as-a-source.htm
I probably won't be of much further help but hopefully @Tim LaBorn (Employee) will chime in on this as he is a Workflow expert and has helped me out with more complex Workflow issues.
@GiridharanD.41770 (Customer)
>Okta Workflows OAuth Auth is granted with the scopes okta.identitySources.read and okta.identitySources.manage.
As far as permissions go there are two things you need to look at:
* In Applications > Applications > Okta Workflows Oauth > Okta API Scopes do you have those two scopes set to granted? (This is the OIDC apps that performs the granting). Note: Any changes to the "Grants" on the app will require you to re-auth your connection with the client to request the new scopes.
* In Workflow > Workflows Console > Connections > New (Okta) connection. Under the Permissions tab when "Default" is selected indicating everything in the following list is turned on do you see those two scopes listed? (This is the client that requests a subset of scopes to be granted by the OIDC app)
If those scopes are missing from the app you either do not have XaaS provisioned in the org or there was an issue with the provisioning of XaaS to the org. Neither of these are specifically Okta Workflows issues. If the permissions are not something available in the org then it will not be possible for the API client Okta Workflows to gain the required scopes.
To correct a provisioning problem with XaaS you would need to open a case with the Lifecycle Management team as they handle XaaS issues.