This article offers guidance on why an OIDC Web App would be missing Client Credentials as a grant type.
- OIDC
- API Access Management
- Web apps
It is impossible to enable the Client Credentials grant-type if it lacks the API Access Management feature add-on.
This limitation occurs because the Client Credentials flow never has a user context, so requesting OpenID scopes is impossible. Instead, create a custom scope, which requires working with a custom authorization server, which in turn requires the API Access Management feature.
As API Access Management is a paid add-on feature, contact the designated Okta Account Manager to learn more about pricing directly. If no Account Manager is assigned or the account owner's contact information is unknown, please contact our Sales Team. Details are on our Contact us page.
NOTE: If the built-in Org Authorization Server is used, know that the Client Credentials flow can only be used with the Org Authorization Server to obtain Access Tokens that the Okta management endpoints can ingest.
Related References
- Okta App Integration Wizard OIDC
- API Access Management | Okta Pricing
- Okta Authorization Servers for OpenID Connect and OAuth 2.0 Integrations | Youtube OktaDev
- Custom Authorization Server Creation Restrictions - Customer FAQ
- Which authorization server should be used | Okta Developer
- Custom Authorization Server - Creating Custom Scopes
- Implement OAuth for Okta with a service app
