OktaS.66131 (Customer) asked a question.
About Client Credentials Flow with API Service
We created an API service and attempted to obtain an access token using the Client Credentials flow, utilizing the Client ID and Client Secret generated in Okta. However, we received the following 401 Unauthorized error:
{
"error": "invalid_client",
"error_description": "Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."
}
I have the following two questions:
- If we do not have the API Access Management license and thus do not have access to custom authorization servers, is it impossible to obtain an access token using just the Client ID and Client Secret?
- Does the default Org Authorization Server only support access token requests using the private_key_jwt method in the Client Credentials flow?
Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work).
I've seen similar questions being posted there.
https://devforum.okta.com/t/challenges-in-accessing-okta-api-with-client-credentials-flow-using-client-secret/27412
https://devforum.okta.com/t/challenges-in-accessing-okta-api-with-client-credentials-flow-using-client-secret/27412
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
I believe this is now a requirement for org authorization servers. Partly because the org authServer is also used for issuing tokens to access the Okta Managment API itself. Id recommend using custom authServers for API access management. thats what is it is designed for