I'm trying to integrate SSO into an internally-distributed command line interface. I would like to enable the following OAuth / OpenID setup:
- Command line interface authenticates using the /oauth2/:authServerId/v1/token endpoint with the password grant type, requesting the "openid" and "groups" scopes. On success, it receives an access token
- Access token is forwarded in the Authorization header while making a request to the Resource Server
- Resource Server uses access token with attached claims to fetch groups from /oauth2/:authServerId/v1/userinfo, and validates group membership before serving request
The security-related assumptions here are that the client secret is not at risk of being exposed due to tightly controlled app distribution, and that the access token has to be valid in order to retrieve group info for authorization on the Resource Server.
An ID token would be more straightforward, but it does not appear there is an endpoint that currently supports issuing such a token using the password grant type.
In any event, I seem to always get a 403 when making a POST request to the /oauth2/:authServerId/v1/token, with no error code. I've tried with differently configured clients, bodies with no params specified, all params specified; the result is always the same.
Are things configured incorrectly, is this not possible with Okta, or is some other problem at play?