API Security; private_key_jwt; one or more scopes are not configured

dcvezzani1 · November 8, 2022, 12:09pm

I have been following the instructions for generating an API token for Okta API endpoints using the “private_key_jwt” token endpoint auth method (Implement OAuth for Okta with a service app | Okta Developer).

I am able to successfully execute all steps prior to the last step which is used to obtain the API “access_token” value itself. Instead, I get the following error:

Obviously, the client_assertion value is a valid signed JWT which I create before each attempt to make this call.

curl --location --request POST 'https://dev-xxxxxxxx.okta.com/oauth2/default/v1/token' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=client_credentials' \
    --data-urlencode 'scope=okta.sessions.read' \
    --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
    --data-urlencode 'client_assertion=eyJ0eXAiOiJKV.....CSSRDV_SHybQ'

{"error":"invalid_scope","error_description":"One or more scopes are not configured for the authorization server resource."}

I verified that I had already granted the scope specified in the curl.

curl --location --request GET 'https://dev-xxxxxxxx.okta.com/api/v1/apps/xxxxxxxxxxxxxxxxxxxx/grants' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
-H "Authorization: SSWS 00XcKg...UGkt05i" \
--header 'Cache-Control: no-cache'

  ...
  {
    "id": "xxxxxxxxxxxxxxxxxxxx",
    "status": "ACTIVE",
    "created": "2022-11-07T23:24:29.000Z",
    "createdBy": {
      "id": "xxxxxxxxxxxxxxxxxxxx",
      "type": "User"
    },
    "lastUpdated": "2022-11-07T23:24:29.000Z",
    "issuer": "https://dev-xxxxxxxx.okta.com",
    "clientId": "xxxxxxxxxxxxxxxxxxxx",
    "scopeId": "okta.sessions.read",
    "source": "ADMIN",
  ...

What am I missing?

dcvezzani1 · November 8, 2022, 3:38pm

[8:34 AM] David C. Vezzani

Now that I am looking at things again, it appears that the following specify the same application integration entity, but the first would be the way to use the “Okta Org Authorization Server” format. I’m going to try the process again and see if it works.

As stated in the documentation (and in posts in this forum),

Only the Org Authorization Server can mint access tokens that contain Okta API scopes
Implement OAuth for Okta | Okta Developer

“Okta Org Authorization Server” format: https://dev-xxxxxxxx-admin.okta.com/.well-known/oauth-authorization-server
“Custom Authorization Server” format: https://dev-xxxxxxxx-admin.okta.com/oauth2/default/.well-known/openid-configuration

I was finally able to “mint” an API access token successfully

system · November 9, 2022, 3:39pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Cannot create access token with custom scopes using private_key_jwt Questions	4	9397	March 30, 2021
Private_key_jwt token OAuth/OIDC dotnet , api	1	4166	February 12, 2024
Getting invalid_client error with JWT-signed (Public/Private Key) on Custom Authorization Server OAuth/OIDC	1	48	February 6, 2025
403 error code for bearer token generated with correct scope - Okta.NET SDK OAuth/OIDC o4o	6	77	November 15, 2024
The token provided has insufficient scope [bonus_api] for this request Questions	8	12069	February 8, 2021

API Security; private_key_jwt; one or more scopes are not configured

Related topics