I’m trying to use this documentation to create a JWT so I can read a list of users from Okta’s API using client credentials. When I submit the form values to generate a JWT, it results in the following error.
My use case is I’m trying to create an API integration in another system that uses client credentials to get a user. Ideally, the following would work (from these docs):
{"error":"invalid_client","error_description":"Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."}
Hey @mraible! Can you provide a screenshot showing what you are providing to jsonwebtoken.dev when you try to use it to generate a JWT (censoring your private key, naturally!) I think I’ve encountered this issue before as well, but I believe the cause was due to some malformed JSON bodies being passed in
Ah, that might be it then. While your payload looks good, you need to pass it a private key, not a public key, to sign the JWT, which is why you need to generate your own key pair for this purpose.
Luckily, you can let Okta generate a Public/Private key pair for you either within the UI or via API. You can then use the JWKS (for the public/private key) that Okta returns as your signing key and it will contain all the parts of a private key. Structure of this key is as follows:
Happy Friday, Andrea! I was able to generate a public/private key with the UI and successfully generated a signed JWT using https://www.jsonwebtoken.dev. I set this as a TOKEN environment variable, then tried to Get an access token as specified in the docs:
{
"errorCode": "invalid_client",
"errorSummary": "A client_id must be provided in the request.",
"errorLink": "invalid_client",
"errorId": "oaeuwYwd_9ZQY6MxWgxAiBvzQ",
"errorCauses": []
}
The client ID I used to generate the signed JWT is from the service app I created. Do the docs need to be updated or am I doing something wrong?
If I don’t use $TOKEN in the curl command, and use the raw value instead, it works. Then, I can make a request to the /api/v1/users API with the returned access token and see users.
Here are the HTTPie commands (for my own reference, since it’s my preferred HTTP client).
# Get an access token with a signed JWT
https --form POST dev-87506503.okta.com/oauth2/v1/token \
'Accept: application/json' \
grant_type=client_credentials \
scope=okta.users.read \
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
client_assertion=$TOKEN
ACCESS_TOKEN=<returned value>
https dev-87506503.okta.com/api/v1/users Authorization:'Bearer '$ACCESS_TOKEN