Skip to content

bug: create app with only okta.apps.manage scope fails #2334

New issue
New issue
Open
#2428
Open
bug: create app with only okta.apps.manage scope fails#2334
#2428
Labels
bug
@exitcode0

Description

@exitcode0
exitcode0
opened on Jun 3, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.18.0

Affected Resource(s)

  • okta_app_*
    • okta_app_bookmark
    • okta_app_saml
    • okta_app_oauth

Terraform Configuration Files

resource "okta_app_bookmark" "example_bookmark" {
  label = "example_bookmark - 123"
  url   = "https://example.com"
}
provider "okta" {
  org_name    = var.okta_org_name
  base_url    = var.okta_base_url
  client_id   = var.client_id
  scopes      = ["okta.apps.manage"]
  private_key = var.private_key
  # <Other attributes here as required>
}

Error Output

Error:  
failed to set authentication policy for bookmark application:  
error finding default ACCESS_POLICY the API returned an error:  
The access token provided does not contain the required scopes.

Expected Behavior

If the provider has the ability to manage okta applications, we should be able to create applications whilst also making use of the underlying default behavior of the Okta apps API, i.e. we should be able to create apps in the default authentication policy

Actual Behavior

The provider creates the application as expected, but then explicitly updates the authentication_policy which then fails if we lack the permission to update policies, the relevant permission here is likely something like okta.policies.manage
I'm yet to validate this, but my expectation is that despite the error, the application is likely created regardless and would now be using the default authentication policy, if this is not the case the resource would likely be tainted

Important Factoids

I think the problematic code is here I think we need to check if the user has provided a value for the attribute before we attempt to call createOrUpdateAuthenticationPolicy()

References

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions