Create an OAuth/OIDC Application with a Custom client_id and client_secret in Okta
Last Updated:
Overview
This article details how to create an OAuth/OIDC application with a custom client_id and/or client_secret using the Okta Management API.
Applies To
- OAuth2 / OIDC Applications
Solution
Prerequisites
- Okta Domain
- API Token or Access Token
Create A New Application
Depending on the type of application being built, it is often easier to build it in the UI and configure it as needed. Then use the management API to retrieve the definition.
client_id and client_secret.- Make a GET call to retrieve the definition of a template application created in the UI:
curl --location --request GET 'https://OktaDomain.okta.com/api/v1/apps/<client_id>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <API_TOKEN>'
Response:
{
"id": "0oa9ht5knq78zN8Ni1d7",
"name": "oidc_client",
"label": "Web App Template",
"status": "ACTIVE",
"lastUpdated": "2023-08-15T06:12:09.000Z",
"created": "2023-08-15T06:11:46.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoLaunch": false,
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"features": [],
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "EyROxC6JMxK2ECPPabB-_zj76klcLXj3L5xCuiBNHpw"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "0oa9ht5knq78zN8Ni1d7",
"token_endpoint_auth_method": "client_secret_basic",
"pkce_required": false
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"manualProvisioning": false,
"implicitAssignment": false,
"notes": {
"admin": null,
"enduser": null
},
"oauthClient": {
"client_uri": null,
"logo_uri": null,
"redirect_uris": [
"http://localhost:8080/authorization-code/callback"
],
"post_logout_redirect_uris": [
"http://localhost:8080"
],
"response_types": [
"code"
],
"grant_types": [
"refresh_token",
"authorization_code"
],
"application_type": "web",
"consent_method": "REQUIRED",
"issuer_mode": "DYNAMIC",
"refresh_token": {
"rotation_type": "ROTATE",
"leeway": 30
},
"idp_initiated_login": {
"mode": "DISABLED",
"default_scope": []
},
"wildcard_redirect": "DISABLED",
"dpop_bound_access_tokens": false
}
},
"_links": {
"uploadLogo": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/logo",
"hints": {
"allow": [
"POST"
]
}
},
"appLinks": [
{
"name": "oidc_client_link",
"href": "https://OktaDomain.okta.com/home/oidc_client/0oa9ht5knq78zN8Ni1d7/aln177a159h7Zf52X0g8",
"type": "text/html"
}
],
"groups": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/groups"
},
"logo": [
{
"name": "medium",
"href": "https://op3static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
"type": "image/png"
}
],
"clientCredentials": [
{
"name": "secrets",
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/credentials/secrets"
}
],
"users": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/users"
},
"deactivate": {
"href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/lifecycle/deactivate"
}
}
}
- Create a new application definition from the response. Remove certain attributes, such as
id,_links, and timestamps.
In the credentials > oauthClient section, specify a custom client_id and client_secret value. Ensure the custom client ID is between 6 and 100 characters and the custom client secret is between 14 and 100 characters.
curl --location --request POST 'https://OktaDomain.okta.com/api/v1/apps' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <API_TOKEN>' \
--data-raw '{
"name": "oidc_client",
"label": "Custom id/secret Web App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoLaunch": false,
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"features": [],
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "custom_client_id",
"client_secret": "cust0mC1ient$secret",
"token_endpoint_auth_method": "client_secret_basic",
"pkce_required": false
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"manualProvisioning": false,
"implicitAssignment": false,
"notes": {
"admin": null,
"enduser": null
},
"oauthClient": {
"client_uri": null,
"logo_uri": null,
"redirect_uris": [
"http://localhost:8080/authorization-code/callback"
],
"post_logout_redirect_uris": [
"http://localhost:8080"
],
"response_types": [
"code"
],
"grant_types": [
"refresh_token",
"authorization_code"
],
"application_type": "web",
"consent_method": "REQUIRED",
"issuer_mode": "DYNAMIC",
"refresh_token": {
"rotation_type": "ROTATE",
"leeway": 30
},
"idp_initiated_login": {
"mode": "DISABLED",
"default_scope": []
},
"wildcard_redirect": "DISABLED",
"dpop_bound_access_tokens": false
}
}
}'
- Verify the response contains the custom
client_idandclient_secret.
NOTE: As mentioned in Okta developer documentation: "Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods."
