Authentication at the API level?

Questions API
1

Hey everyone - thanks for answering this neophyte question! Does the OKTA api support an auth type that does not require interaction? For example key+secret, or some kind of bearer token process?

We need to run something nightly that can synchronize users. I’ve found the list users call which would do nicely: Users | Okta Developer

Just not certain how to go about authorization in a server to server process (using basic cURL only) with OKTA.

Thanks for the heads up!

2

Okta’s API can support 2 types of authentication:

  • using API token which you attach to a service account with elevated permissions created in Okta
  • using OAuth tokens which you can obtain by registering an OAuth application with client_credentials grant and granting this application specific grants/scopes
1 Like
3

Hi there @LLXP !

You might want to check out this recent blog post Selecting the Best Authorization for your API Integrations. It links back to developer docs, too, and may shed some light on how to achieve what you’re trying to accomplish.

Happy coding!

1 Like
4

Thanks for your response @phi1ipp and @alisaduncan. I’m familiar with the bearer flow, which is the precise flow that’s used in Microsoft AD solutions. The article at Selecting the Best Authorization for Your API Integrations | Okta Developer confirms that a Bearer token process exists, which is great.

I’d really appreciate a bit of added help in finding the right documentation in your API portal.

  1. Where can I find the endpoint documentation for the exact parameters that exchange the client id and client secret for a bearer token? e.g. For the bearer token process, post to this endpoint, with these POST body parameters.

  2. Is there documentation somewhere that identifies what the API will respond if the bearer token has expired and needs to be renewed (for example, during a call to read users)?

Thanks for your support.
Alex

5

Was just seconds away. For anyone in my boat, the pivotal detail was found in the admin area under Security > API

On the first view in this section lies the issuer URI, which is where you POST. Note this URI.

Then you will edit this issuer, and hit the Scopes tab - create a new Scope.

The final request ends up looking like:

POST /oauth2/default/v1/token HTTP/1.1
Accept: application/json
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Authorization: Basic [BASE64(clientId:clientSecret)]
Host: YOURURLAT.okta.com
Connection: close
Content-Length: ....

grant_type=client_credentials&scope=SCOPENAME
2 Likes
6

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.