I created a dynamic client that uses token_endpoint_auth_method=“private_key_jwt”. When I attempt to create an access token for any scope in my authorization server, I get the error “Custom scopes are not allowed for this request.” Using the built in Okta API scopes seem to work. Does private_key_jwt not work with custom scopes?
Here is my test:
$ curl --location --request POST ‘https://{host}/oauth2/v1/clients’
–header ‘Accept: application/json’
–header ‘Content-Type: application/json’
–header ‘Authorization: SSWS {key}’
–data-raw ’ {
“client_name”: “Service Client Name”,
“response_types”: [
“token”
],
“grant_types”: [
“client_credentials”
],
“token_endpoint_auth_method”: “private_key_jwt”,
“application_type”: “service”,
“jwks”: {
“keys”: [
//put key in here
]
}
}’
client_assertion Token before signing:
{
“aud”: “https://{host}/oauth2/v1/token”,
“iss”: “{clientId}”,
“sub”: “{clientId}”,
“exp”: “1617045105”
}
$ curl --location --request POST ‘https://{host}/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=customScope’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion={client assertion here}’
Response: {“error”:“invalid_scope”,“error_description”:“Custom scopes are not allowed for this request.”}
If I try the exact same thing but with a client_secret_post auth method it works great.
$ curl --location --request POST ‘https://{host}/oauth2/v1/clients’
–header ‘Accept: application/json’
–header ‘Content-Type: application/json’
–header ‘Authorization: SSWS {key}’
–data-raw ‘{
“client_name”: “Service Client Name Dynamic Secret”,
“response_types”: [
“token”
],
“grant_types”: [
“client_credentials”
],
“token_endpoint_auth_method”: “client_secret_post”,
“application_type”: “service”
}’
$ curl --request POST
–url https://{host}/oauth2/default/v1/token
–header ‘accept: application/json’
–header ‘authorization: Basic {client id and secret}’
–header ‘cache-control: no-cache’
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=client_credentials&scope=customScope’
Response: I get a bearer token in the response.
It also works if I use an Okta API scope that I granted to the client:
curl --location --request POST ‘https://{host}/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=okta.apps.read’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion={Assertion}’
Response: bearer token