Challenges in Accessing Okta API with Client Credentials Flow Using Client Secret

We are currently working on configuring our Okta tenant so we can do the following tasks:

  • Obtain an OAuth 2.0 token using the client credentials flow using Client Secret
  • Utilize this token to make an API call (e.g., fetching the apps list)

While we have successfully implemented the client credentials flow using a JWT signed with a keypair. However, we face challenges when attempting to do the same using a client secret (and unfortunately we need to use client secret).

What We’ve Done So Far

App Creation:

  • Sign-in method - API Services
  • Client authentication - Client Secret
  • (DPoP) is not required
  • Granted Okta API Scope: okta.apps.read

Authorization Server Configuration:

  • Added “default” scope and set it as the default, for “default” authorization server

Option #1 (Not working): Client Credentials Flow (Client Secret) with Basic Authorization

This is per Okta documentation (Okta Developer)

curl --request POST \
--url https://<okta-tenant>.okta.com/oauth2/default/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic MG9hZ…VVNYg==' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=default'

We got the access token received and used it in the following request:

curl -v -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "authorization: Bearer eyJraW…6A" "https://<okta-tenant>.com/api/v1/apps"

Error happened in the response to this request:

www-authenticate: Bearer authorization_uri="http://<okta-tenant>.okta.com/oauth2/v1/authorize", realm="http://<okta-tenant>.okta.com", scope="okta.apps.read", error="invalid_request", error_description="The authorization server id is invalid.", resource="/api/v1/apps"

Option #2 (Not working): Standard OAuth 2.0 Client Credentials Flow (Client Secret):

This follows the OAUth2 standard (passing Client Secret in the body vs in the Authorization Basic header as Okta documentation shows).

curl -X POST "https://<okta-tenant>.okta.com/oauth2/v1/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=0oaf…7&client_secret=zFZ…Z&scope=default"

Error happened in response to this request:

{“error”:“invalid_client”,“error_description”:“Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.”

We’d greatly appreciate guidance on the following:

  • Are we overlooking anything regarding configuration to get OAuth2 client credentials flow using a client secret?
  • Is this method supported at all, compared to using JWT signing? (We’ve noticed several posts from others struggling with similar issues in implementing it.)

You need to use Private Key JWT client authentication and you need to request tokens from the Org Authorization Server in order to receive back tokens with the okta.apps.read (or other management) scope.

Check out our guide here on how to get OAuth tokens that can be used against Okta’s APIs with an API Service app: Implement OAuth for Okta with a service app | Okta Developer