Description: Key Manager OKTA doesn't work when API is subscribed to application other than Default Application in DevPortal of WSO2 APIM 3.2.0
Steps to reproduce:
- Login to admin portal using admin credentials.
- Register OKTA key manager by details collected from OKTA. Ensure the steps mentioned in documentation is followed.
- Keep Token Generation, Out Of Band Provisioning, Oauth App Creation options enabled.
- Login to Publisher Portal using admin credentials.
- Deploy the PizzaShack API.
- Go to Run time configurations, Under application security, Keep only OKTA Key manager allowed for API.
- Save and Publish the API.
- Login to Developer Portal using admin credentials.
- Create a new Application for OKTA exactly as mentioned here https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-okta-connector/.
- Subscribe the PizzaShack API to the new application.
- Generate the access token for a OKTA end user directly via okta API.
OKTA end user is not available in WSO2 user store. And not using wso2 devportal to generate the acces token.
- Make a request to pizzashack api using the generated access token.
- WSO2 returns below error
<ams:fault xmlns:ams="http://wso2.org/apimanager/security"> <ams:code>900908</ams:code> <ams:message>Resource forbidden </ams:message> <ams:description>User is NOT authorized to access the Resource. API Subscription validation failed.</ams:description> </ams:fault>
- Go to devportal and unsubscribe the PizzaShack from new application.
- Subscribe the PizzaShack API to default application and save.
- Make a request to pizzashack api using the earlier generated access token.
- WSO2 respond with API result.