API Security; private_key_jwt; one or more scopes are not configured

I have been following the instructions for generating an API token for Okta API endpoints using the “private_key_jwt” token endpoint auth method (Implement OAuth for Okta with a service app | Okta Developer).

I am able to successfully execute all steps prior to the last step which is used to obtain the API “access_token” value itself. Instead, I get the following error:

Obviously, the client_assertion value is a valid signed JWT which I create before each attempt to make this call.

curl --location --request POST 'https://dev-xxxxxxxx.okta.com/oauth2/default/v1/token' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'scope=okta.sessions.read' \
    --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
    --data-urlencode 'client_assertion=eyJ0eXAiOiJKV.....CSSRDV_SHybQ'
{"error":"invalid_scope","error_description":"One or more scopes are not configured for the authorization server resource."}

I verified that I had already granted the scope specified in the curl.

curl --location --request GET 'https://dev-xxxxxxxx.okta.com/api/v1/apps/xxxxxxxxxxxxxxxxxxxx/grants' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
-H "Authorization: SSWS 00XcKg...UGkt05i" \
--header 'Cache-Control: no-cache'
    "id": "xxxxxxxxxxxxxxxxxxxx",
    "status": "ACTIVE",
    "created": "2022-11-07T23:24:29.000Z",
    "createdBy": {
      "id": "xxxxxxxxxxxxxxxxxxxx",
      "type": "User"
    "lastUpdated": "2022-11-07T23:24:29.000Z",
    "issuer": "https://dev-xxxxxxxx.okta.com",
    "clientId": "xxxxxxxxxxxxxxxxxxxx",
    "scopeId": "okta.sessions.read",
    "source": "ADMIN",

What am I missing?

[8:34 AM] David C. Vezzani

Now that I am looking at things again, it appears that the following specify the same application integration entity, but the first would be the way to use the “Okta Org Authorization Server” format. I’m going to try the process again and see if it works.

As stated in the documentation (and in posts in this forum),

Only the Org Authorization Server can mint access tokens that contain Okta API scopes
Implement OAuth for Okta | Okta Developer

I was finally able to “mint” an API access token successfully


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.