<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Create an OAuth/OIDC Application with a Custom client_id and client_secret in Okta

API Access Management

Overview

This article details how to create an OAuth/OIDC application with a custom client_id and/or client_secret using the Okta Management API.

Applies To

  • OAuth2 / OIDC Applications

Solution

Prerequisites

  1. Okta Domain
  2. API Token or Access Token

 

Create A New Application

This document about Applications details available options when creating a new OAuth2 Application.

Depending on the type of application being built, it is often easier to build it in the UI and configure it as needed. Then use the management API to retrieve the definition.
 
This sample uses a Web App type since it defines both a client_id and client_secret.
 
  1. Make a GET call to retrieve the definition of a template application created in the UI:

curl --location --request GET 'https://OktaDomain.okta.com/api/v1/apps/<client_id>' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <API_TOKEN>'

Response:

{
    "id": "0oa9ht5knq78zN8Ni1d7",
    "name": "oidc_client",
    "label": "Web App Template",
    "status": "ACTIVE",
    "lastUpdated": "2023-08-15T06:12:09.000Z",
    "created": "2023-08-15T06:11:46.000Z",
    "accessibility": {
        "selfService": false,
        "errorRedirectUrl": null,
        "loginRedirectUrl": null
    },
    "visibility": {
        "autoLaunch": false,
        "autoSubmitToolbar": false,
        "hide": {
            "iOS": true,
            "web": true
        },
        "appLinks": {
            "oidc_client_link": true
        }
    },
    "features": [],
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.login}",
            "type": "BUILT_IN"
        },
        "signing": {
            "kid": "EyROxC6JMxK2ECPPabB-_zj76klcLXj3L5xCuiBNHpw"
        },
        "oauthClient": {
            "autoKeyRotation": true,
            "client_id": "0oa9ht5knq78zN8Ni1d7",
            "token_endpoint_auth_method": "client_secret_basic",
            "pkce_required": false
        }
    },
    "settings": {
        "app": {},
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                },
                "message": null,
                "helpUrl": null
            }
        },
        "manualProvisioning": false,
        "implicitAssignment": false,
        "notes": {
            "admin": null,
            "enduser": null
        },
        "oauthClient": {
            "client_uri": null,
            "logo_uri": null,
            "redirect_uris": [
                "http://localhost:8080/authorization-code/callback"
            ],
            "post_logout_redirect_uris": [
                "http://localhost:8080"
            ],
            "response_types": [
                "code"
            ],
            "grant_types": [
                "refresh_token",
                "authorization_code"
            ],
            "application_type": "web",
            "consent_method": "REQUIRED",
            "issuer_mode": "DYNAMIC",
            "refresh_token": {
                "rotation_type": "ROTATE",
                "leeway": 30
            },
            "idp_initiated_login": {
                "mode": "DISABLED",
                "default_scope": []
            },
            "wildcard_redirect": "DISABLED",
            "dpop_bound_access_tokens": false
        }
    },
    "_links": {
        "uploadLogo": {
            "href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/logo",
            "hints": {
                "allow": [
                    "POST"
                ]
            }
        },
        "appLinks": [
            {
                "name": "oidc_client_link",
                "href": "https://OktaDomain.okta.com/home/oidc_client/0oa9ht5knq78zN8Ni1d7/aln177a159h7Zf52X0g8",
                "type": "text/html"
            }
        ],
        "groups": {
            "href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/groups"
        },
        "logo": [
            {
                "name": "medium",
                "href": "https://op3static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
                "type": "image/png"
            }
        ],
        "clientCredentials": [
            {
                "name": "secrets",
                "href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/credentials/secrets"
            }
        ],
        "users": {
            "href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/users"
        },
        "deactivate": {
            "href": "https://OktaDomain.okta.com/api/v1/apps/0oa9ht5knq78zN8Ni1d7/lifecycle/deactivate"
        }
    }
}
  1. Create a new application definition from the response. Remove certain attributes, such as id, _links, and timestamps.

In the credentials > oauthClient section, specify a custom client_id and client_secret value. Ensure the custom client ID is between 6 and 100 characters and the custom client secret is between 14 and 100 characters.

curl --location --request POST 'https://OktaDomain.okta.com/api/v1/apps' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <API_TOKEN>' \
--data-raw '{
    "name": "oidc_client",
    "label": "Custom id/secret Web App",
    "status": "ACTIVE",
    "accessibility": {
        "selfService": false,
        "errorRedirectUrl": null,
        "loginRedirectUrl": null
    },
    "visibility": {
        "autoLaunch": false,
        "autoSubmitToolbar": false,
        "hide": {
            "iOS": true,
            "web": true
        },
        "appLinks": {
            "oidc_client_link": true
        }
    },
    "features": [],
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.login}",
            "type": "BUILT_IN"
        },
        "oauthClient": {
            "autoKeyRotation": true,
            "client_id": "custom_client_id",
            "client_secret": "cust0mC1ient$secret",
            "token_endpoint_auth_method": "client_secret_basic",
            "pkce_required": false
        }
    },
    "settings": {
        "app": {},
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                },
                "message": null,
                "helpUrl": null
            }
        },
        "manualProvisioning": false,
        "implicitAssignment": false,
        "notes": {
            "admin": null,
            "enduser": null
        },
        "oauthClient": {
            "client_uri": null,
            "logo_uri": null,
            "redirect_uris": [
                "http://localhost:8080/authorization-code/callback"
            ],
            "post_logout_redirect_uris": [
                "http://localhost:8080"
            ],
            "response_types": [
                "code"
            ],
            "grant_types": [
                "refresh_token",
                "authorization_code"
            ],
            "application_type": "web",
            "consent_method": "REQUIRED",
            "issuer_mode": "DYNAMIC",
            "refresh_token": {
                "rotation_type": "ROTATE",
                "leeway": 30
            },
            "idp_initiated_login": {
                "mode": "DISABLED",
                "default_scope": []
            },
            "wildcard_redirect": "DISABLED",
            "dpop_bound_access_tokens": false
        }
    }
}'
  1. Verify the response contains the custom client_id and client_secret.


NOTE: As mentioned in Okta developer documentation: "Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods."

Loading
Okta Support - Create an OAuth/OIDC Application with a Custom client_id and client_secret in Okta