When attempting to make an /authorize call using a Service Application, the following error is displayed:

400 Bad Request: Clients with ‘application_type’ of ‘service’ are not allowed to access the ‘authorize’ endpoint.

• Okta Identity Engine (OIE)
• Classic Engine
• Service Application
• OAuth 2.0 Client Credentials Flow
• Machine-to-Machine (M2M) Authentication

The /authorize endpoint is designed for OpenID Connect (OIDC) flows that involve user interaction (such as Authorization Code or Implicit flows). Service Applications are designed for machine-to-machine communication using the Client Credentials grant type, which interacts exclusively with the /token endpoint.

When using a Service Application, bypass the /authorize call and request tokens directly from the /token endpoint.

1. Identify the Okta Authorization Server URI (for example, https://${OktaDomain}/oauth2/v1/token).
2. Ensure the application is configured to use the Client Credentials grant type.
3. Format the request to the /token endpoint using the required parameters (Client ID, Client Secret or Private Key JWT, and Scopes).
4. Execute the call directly to obtain the Access Token.

NOTE: Service apps are not compatible with OIDC grant types that require a browser-based redirect or user login.

For more information on the client credentials flow used by service apps, see: Implement authorization with the client credentials grant type.

Related References

• Implement OAuth for Okta with a service app
• Implement authorization by grant type