We are currently working on configuring our Okta tenant so we can do the following tasks:
- Obtain an OAuth 2.0 token using the client credentials flow using Client Secret
- Utilize this token to make an API call (e.g., fetching the apps list)
While we have successfully implemented the client credentials flow using a JWT signed with a keypair. However, we face challenges when attempting to do the same using a client secret (and unfortunately we need to use client secret).
What We’ve Done So Far
App Creation:
- Sign-in method - API Services
- Client authentication - Client Secret
- (DPoP) is not required
- Granted Okta API Scope: okta.apps.read
Authorization Server Configuration:
- Added “default” scope and set it as the default, for “default” authorization server
Option #1 (Not working): Client Credentials Flow (Client Secret) with Basic Authorization
This is per Okta documentation (Okta Developer)
curl --request POST \
--url https://<okta-tenant>.okta.com/oauth2/default/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic MG9hZ…VVNYg==' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=default'
We got the access token received and used it in the following request:
curl -v -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "authorization: Bearer eyJraW…6A" "https://<okta-tenant>.com/api/v1/apps"
Error happened in the response to this request:
www-authenticate: Bearer authorization_uri="http://<okta-tenant>.okta.com/oauth2/v1/authorize", realm="http://<okta-tenant>.okta.com", scope="okta.apps.read", error="invalid_request", error_description="The authorization server id is invalid.", resource="/api/v1/apps"
Option #2 (Not working): Standard OAuth 2.0 Client Credentials Flow (Client Secret):
This follows the OAUth2 standard (passing Client Secret in the body vs in the Authorization Basic header as Okta documentation shows).
curl -X POST "https://<okta-tenant>.okta.com/oauth2/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=0oaf…7&client_secret=zFZ…Z&scope=default"
Error happened in response to this request:
{“error”:“invalid_client”,“error_description”:“Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.”
We’d greatly appreciate guidance on the following:
- Are we overlooking anything regarding configuration to get OAuth2 client credentials flow using a client secret?
- Is this method supported at all, compared to using JWT signing? (We’ve noticed several posts from others struggling with similar issues in implementing it.)