User1710952617986391333 (-) asked a question.
We are currently working on configuring our Okta tenant so we can do the following tasks:
- Obtain an OAuth 2.0 token using the client credentials flow using Client Secret
- Utilize this token to make an API call (e.g., fetching the apps list)
While we have successfully implemented the client credentials flow using a JWT signed with a keypair(https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#get-an-access-token). However, we face challenges when attempting to do the same using a client secret (and unfortunately we need to use client secret).
What We've Done So Far
App Creation:
- Sign-in method - API Services
- Client authentication - Client Secret
- (DPoP) is not required
- Granted Okta API Scope: okta.apps.read
Authorization Server Configuration:
- Added “default” scope and set it as the default, for "default" authorization server
Option *1 (Not working): Client Credentials Flow (Client Secret) with Basic Authorization
This is per Okta documentation (https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/)
curl --request POST \
--url https://<okta-tenant>.okta.com/oauth2/default/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic MG9hZ…VVNYg==' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=default'
We got the access token received and used it in the following request:
curl -v -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "authorization: Bearer eyJraW…6A" "https://<okta-tenant>.com/api/v1/apps"
Error happened in the response to this request:
www-authenticate: Bearer authorization_uri="http://<okta-tenant>.okta.com/oauth2/v1/authorize", realm="http://<okta-tenant>.okta.com", scope="okta.apps.read", error="invalid_request", error_description="The authorization server id is invalid.", resource="/api/v1/apps"
Option *2 (Not working): Standard OAuth 2.0 Client Credentials Flow (Client Secret):
This follows the OAUth2 standard (passing Client Secret in the body vs in the Authorization Basic header as Okta documentation shows).
curl -X POST "https://<okta-tenant>.okta.com/oauth2/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=0oaf…7&client_secret=zFZ…Z&scope=default"
Error happened in response to this request:
{“error”:“invalid_client”,“error_description”:“Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.”
We'd greatly appreciate guidance on the following:
- Are we overlooking anything regarding configuration to get OAuth2 client credentials flow using a client secret?
- Is this method supported at all, compared to using JWT signing? (We've noticed several posts from others struggling with similar issues in implementing it.)
Hi @User1710952617986391333 (-) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
That being said, I ran it by my developer colleagues and they pointed a couple of things out.
Authorization Server Configuration:
They mentioned not using the Default authorization for this. Please follow this guide that should guide you through getting a token from the Org Authorization Server and only tokens issued by it can be granted the okta.apps.read scope.
My advice would be to reach out via devforum.okta.com to take advantage of my colleague's expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.