Auth flow to get token for validating deployed API (PKCE)

Hypothetical scenario - SPA web app uses PKCE to auth against backend API
How do I mint an access token to validate the deployed API without using the credentials of a specific user?

Want to use OAuth to scope to the specific functionality we are going to test. This would be machine to machine, will not be going through the public web site.

In the documentation for the pkce flow, I see how to auth with a redirect uri:

But I need a token, not a redirect.
Not clear how to use the PKCE flow here:

Do I need to get an auth code first and then exchange it for a token?

Yeah, PKCE works similar to good-old authorization code flow, only code received by your SPA is then exchanged for token by SPA itself, not through back-end server.

Sorry, not sure what the first part of your question was about, but hopefully other folks will be able to advise something :slight_smile:

Can you use the client credentials flow instead?

Looking for machine to machine auth, not the web part

@okra-okta I looked at the client credentials flow, but the example is with a Custom Auth Server; when I tried that I got the error message:
{“error”:“invalid_scope”,“error_description”:“One or more scopes are not configured for the authorization server resource.”}

Custom AS does not support the OAuth for Okta API scopes, as noted in our documentation: Only the Org Authorization Server can mint access tokens that contain Okta API scopes.

Appears that I can’t get a token from a CAS, have to use the Org Auth Server

There is a service app option for OAuth for Okta which uses the client credentials flow (only works with Org Auth Server).

1 Like