> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Okta_ReadClientSecret > Ability to read client secrets for scoped Okta applications Applies to BloodHound Enterprise and CE ## Edge Schema * Source: [Okta\_User](/opengraph/extensions/okta/nodes/okta_user), [Okta\_Group](/opengraph/extensions/okta/nodes/okta_group), [Okta\_Application](/opengraph/extensions/okta/nodes/okta_application) * Destination: [Okta\_ClientSecret](/opengraph/extensions/okta/nodes/okta_clientsecret) * Traversable: ✅ ## General Information The traversable Okta\_ReadClientSecret edges represent permissions that allow a principal (user, group, or application) to read OAuth client secrets for scoped Okta applications. These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles and for custom roles with the `okta.apps.clientCredentials.read` permission. ```mermaid theme={null} graph TD org("Okta_Organization contoso.okta.com") u1("Okta_User john\@contoso.com") g1("Okta_Group Auditors") app1("Okta_Application HR Sync") secret1("Okta_ClientSecret abcdefgh") r1("Okta_Role Read-only Administrator") u1 -- Okta_MemberOf --> g1 g1 -- Okta_ReadClientSecret --> secret1 secret1 -- Okta_SecretOf --> app1 app1 -- Okta_SuperAdmin --> org g1 -. Okta_HasRole .-> r1 ``` ## Potential Attack Scenarios An attacker with the ability to read client secrets for an application assigned the Super Administrator role could potentially use the client secret to authenticate as that application and perform privileged actions in Okta. ## Potential Attack Scenarios An attacker with the ability to read client secrets for an application assigned the Super Administrator role could potentially use the client secret to authenticate as that application and perform privileged actions in Okta.