User With API Token

Okta documentation (classic engine / identity engine) defines API tokens, or "SSWS tokens", as authentication credentials for Okta API requests created by specific users. Actions performed with these tokens act on behalf of their owner. Treat API tokens as secrets and secure them like passwords. These tokens inherit the permissions of their creator; if the user's permissions change, the token's permissions change accordingly. Super admins, org admins, group admins, group membership admins, and read-only admins have the ability to create tokens.

Most user-created API tokens are legitimate and used to automate actions. However, attackers can abuse this by creating malicious tokens on behalf of an admin to maintain persistent access.

Methodology and objective:

• This IoE focuses solely on API tokens for the Okta API, as other token types are currently less likely to be abused based on the threat landscape.
• This IoE reports tokens with status "Idle" because they are still valid and can be abused anytime.

This Indicator of Exposure cannot determine whether an API token is legitimate. You must manually review tokens by contacting their owners to verify their legitimacy.

Revoke any unrecognized token as an attacker may have created it for persistence purposes. If you have serious doubts, consider conducting a forensic analysis.

You can also consider revoking unnecessary legitimate API tokens to reduce the attack surface and potential for abuse.

Name: User With API Token

Codename: USER-WITH-API-TOKEN

Severity: Low

Type: Okta Indicator of Exposure