<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007pMd3QCASOkta Classic EngineAuthenticationAnswered2024-04-15T12:38:17.000Z2022-07-24T09:09:23.000Z2022-07-28T17:03:31.000Z

6iwh6 (6iwh6) asked a question.

July 24, 2022 at 9:09 AM
Access Users API with client_credentials flow by the Web application

I have a Web Okta application with enabled `client_credentials` flow and granted `okta.users.read` scope.

I'm trying to create an access_token using both default and Org Authentication Server.

For default Auth Server:

```

POST /oauth2/default/v1/token HTTP/1.1

Authorization: Basic *****

Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=okta.apps.read

```

It gives an error:

```

{

"error": "invalid_scope",

"error_description": "One or more scopes are not configured for the authorization server resource."

}

```

When I'm trying to add a `okta.users.read` scope the the default server it gives an error:

`This name is reserved. Must not start with ''okta.'' or ''okta:'' and must not be only ''okta'' or ''*''`

 

For the Org Auth Server it gives another error:

```

{

"error": "invalid_client",

"error_description": "Only clients with 'application_type' of 'service' may use the client_credentials 'grant_type' with the Org Authorization Server."

}

```

  • 2 answers
  • 797 views

  • Mihai N. (Okta, Inc.)

    Hi @6iwh6 (6iwh6)​ , Thank you for reaching out to the Okta Community!

     

    The following Community post seems to discuss a similar issue as you are describing as "One or more scopes are not configured for the authorization server resource."

     

    https://support.okta.com/help/s/question/0D54z00007JYLaqCAH/one-or-more-scopes-are-not-configured-for-the-authorization-server-resource?language=en_US

     

    For the second part mentioned, the issue seems to stem from the fact that there is a restriction on the name used for scopes. As the error mentions, it's not supposed to contain certain words/characters and so on. 

     

    For the third part of the issue, this seems to be discussed on the Okta Developer forum: 

    https://devforum.okta.com/t/client-credentials-with-application-type-as-web/9415

     

    My advice would be to reach out to the devforum.okta.com to take advantage of their expertise.  

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products.

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope it helps! 

    Expand Post

    • 6iwh6 (6iwh6)

      Hi Mihai,

       

      Both links say about creating the custom scopes in the Authorization Server. I would like to gain access to the standard okta.users.read scope.

      The custom Authorization Server doesn't support creation of the standard Okta scopes.

       

      As fas as I see the only way to access the Users API is to use the "API Services" application with public/key authentication. All other application types can be used only for users authentication.

      Expand Post
This question is closed.
Loading
Access Users API with client_credentials flow by the Web application