Create an OAuth/OIDC Application with a Custom client_id and client_secret
Mar 24, 2025
API Access Management
Overview
This article details how to create an OAuth/OIDC application with a custom client_id and/or client_secret using the Okta Management API.
Applies To
- OAuth2 / OIDC Applications
Solution
Prerequisites
- Okta Domain
- API Token or Access Token
Create A New Application
This document about Applications details available options when creating a new OAuth2 Application.
Depending on the type of application being created, it is often easier to create an application in the UI and configure it as needed. Then use the management API to retrieve the definition.
This sample uses a Web App type since it defines both a
client_id and client_secret.- Make a GET call to retrieve the definition of a template application created in the UI:
curl --location --request GET 'https://OktaDomain.okta.com/api/v1/apps/<client_id>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <API_TOKEN>'
Response:
{
"id": "0oa9ht5knq78zN8Ni1d7",
"name": "oidc_client",
"label": "Web App Template",
"status": "ACTIVE",
"lastUpdated": "2023-08-15T06:12:09.000Z",
"created": "2023-08-15T06:11:46.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoLaunch": false,
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"features": [],
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "EyROxC6JMxK2ECPPabB-_zj76klcLXj3L5xCuiBNHpw"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "0oa9ht5knq78zN8Ni1d7",
"token_endpoint_auth_method": "client_secret_basic",
"pkce_required": false
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"manualProvisioning": false,
"implicitAssignment": false,
"notes": {
"admin": null,
"enduser": null
},
"oauthClient": {
"client_uri": null,
"logo_uri": null,
"redirect_uris": [
"http://localhost:8080/authorization-code/callback"
],
"post_logout_redirect_uris": [
"http://localhost:8080"
],
"response_types": [
"code"
],
"grant_types": [
"refresh_token",
"authorization_code"
],
"application_type": "web",
"consent_method": "REQUIRED",
"issuer_mode": "DYNAMIC",
"refresh_token": {
"rotation_type": "ROTATE",
"leeway": 30
},
"idp_initiated_login": {
"mode": "DISABLED",
"default_scope": []
},
"wildcard_redirect": "DISABLED",
"dpop_bound_access_tokens": false
}
},
"_links": {
"uploadLogo": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/logo",
"hints": {
"allow": [
"POST"
]
}
},
"appLinks": [
{
"name": "oidc_client_link",
"href": "https://OktaDomain.okta.com/home/oidc_client/0oa9ht5knq78zN8Ni1d7/aln177a159h7Zf52X0g8",
"type": "text/html"
}
],
"groups": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/groups"
},
"logo": [
{
"name": "medium",
"href": "https://op3static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
"type": "image/png"
}
],
"clientCredentials": [
{
"name": "secrets",
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/credentials/secrets"
}
],
"users": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/users"
},
"deactivate": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/lifecycle/deactivate"
}
}
}
- Create a new application definition from the response. Remove certain attributes, such as
id,_links, and timestamps.
In the credentials > oauthClient section, specify a custom client_id and client_secret value.
Provide a new label for the application.
curl --location --request POST 'https://OktaDomain.okta.com/api/v1/apps' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <API_TOKEN>' \
--data-raw '{
"name": "oidc_client",
"label": "Custom id/secret Web App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoLaunch": false,
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"features": [],
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "custom_client_id",
"client_secret": "cust0mC1ient$secret",
"token_endpoint_auth_method": "client_secret_basic",
"pkce_required": false
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"manualProvisioning": false,
"implicitAssignment": false,
"notes": {
"admin": null,
"enduser": null
},
"oauthClient": {
"client_uri": null,
"logo_uri": null,
"redirect_uris": [
"http://localhost:8080/authorization-code/callback"
],
"post_logout_redirect_uris": [
"http://localhost:8080"
],
"response_types": [
"code"
],
"grant_types": [
"refresh_token",
"authorization_code"
],
"application_type": "web",
"consent_method": "REQUIRED",
"issuer_mode": "DYNAMIC",
"refresh_token": {
"rotation_type": "ROTATE",
"leeway": 30
},
"idp_initiated_login": {
"mode": "DISABLED",
"default_scope": []
},
"wildcard_redirect": "DISABLED",
"dpop_bound_access_tokens": false
}
}
}'
- Verify the response contains the custom
client_idandclient_secret.
NOTE: As mentioned in Okta developer documentation: "Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods."
