Hypothetical scenario - SPA web app uses PKCE to auth against backend API
How do I mint an access token to validate the deployed API without using the credentials of a specific user?
Want to use OAuth to scope to the specific functionality we are going to test. This would be machine to machine, will not be going through the public web site.
Yeah, PKCE works similar to good-old authorization code flow, only code received by your SPA is then exchanged for token by SPA itself, not through back-end server.
Sorry, not sure what the first part of your question was about, but hopefully other folks will be able to advise something
@okra-okta I looked at the client credentials flow, but the example is with a Custom Auth Server; when I tried that I got the error message:
{“error”:“invalid_scope”,“error_description”:“One or more scopes are not configured for the authorization server resource.”}
Custom AS does not support the OAuth for Okta API scopes, as noted in our documentation: Only the Org Authorization Server can mint access tokens that contain Okta API scopes.
Appears that I can’t get a token from a CAS, have to use the Org Auth Server
