Cannot create access token with custom scopes using private_key_jwt

I created a dynamic client that uses token_endpoint_auth_method=“private_key_jwt”. When I attempt to create an access token for any scope in my authorization server, I get the error “Custom scopes are not allowed for this request.” Using the built in Okta API scopes seem to work. Does private_key_jwt not work with custom scopes?

Here is my test:
$ curl --location --request POST ‘https://{host}/oauth2/v1/clients’
–header ‘Accept: application/json’
–header ‘Content-Type: application/json’
–header ‘Authorization: SSWS {key}’
–data-raw ’ {
“client_name”: “Service Client Name”,
“response_types”: [
“token”
],
“grant_types”: [
“client_credentials”
],
“token_endpoint_auth_method”: “private_key_jwt”,
“application_type”: “service”,
“jwks”: {
“keys”: [
//put key in here
]
}
}’

client_assertion Token before signing:
{
“aud”: “https://{host}/oauth2/v1/token”,
“iss”: “{clientId}”,
“sub”: “{clientId}”,
“exp”: “1617045105”
}

$ curl --location --request POST ‘https://{host}/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=customScope’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion={client assertion here}’

Response: {“error”:“invalid_scope”,“error_description”:“Custom scopes are not allowed for this request.”}

If I try the exact same thing but with a client_secret_post auth method it works great.

$ curl --location --request POST ‘https://{host}/oauth2/v1/clients’
–header ‘Accept: application/json’
–header ‘Content-Type: application/json’
–header ‘Authorization: SSWS {key}’
–data-raw ‘{
“client_name”: “Service Client Name Dynamic Secret”,
“response_types”: [
“token”
],
“grant_types”: [
“client_credentials”
],
“token_endpoint_auth_method”: “client_secret_post”,
“application_type”: “service”
}’

$ curl --request POST
–url https://{host}/oauth2/default/v1/token
–header ‘accept: application/json’
–header ‘authorization: Basic {client id and secret}’
–header ‘cache-control: no-cache’
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=client_credentials&scope=customScope’

Response: I get a bearer token in the response.

It also works if I use an Okta API scope that I granted to the client:

curl --location --request POST ‘https://{host}/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=okta.apps.read’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion={Assertion}’

Response: bearer token

You are unable to configure custom scopes for the built-in Org Authorization Server, which is different from the Default Custom Authorization Server.

It looks like you have added a customScope to the Default server and are then attempting to request a token from the Org authorization server that contains this scope. This customScope can only be requested from your Default server, while the Okta API scopes can only be requested from the Org server.

These different servers are for different use cases:

  • The Okta/Org authorization server, which is used when you make a request to /oauth2/v1/token, can be used by Service apps to create tokens that can be used against the Okta APIs. In these token requests, you can request the Okta API scopes that you have granted your Service app (okta.users.read, okta.apps.read, etc).
  • The Default/any other Custom Authorization server you create, which is used when you make a request to /oauth2/default/v1/token, is to be used in OAuth use cases, where you are looking to protect your own resources with OAuth tokens. In these token requests, you can request any custom scopes you have created for the authorization server you are using, in this case, customScope.

Thanks @andrea How do I use “private_key_jwt” with a default/custom authorization server? Or does “private_key_jwt” only work against the Okta/Org authorization server?

I would prefer to use jwk based client_credentials auth in my custom application over client_secret.

Thanks

Actually, I figured it out. After re-reading your post I changed my token endpoint to /oauth2/default/v1/token and it works now. Thanks!

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.