I’ve followed the instructions for setting up client credentials grant including a custom scope.
I can successfully retrieve an access_token using the client id, client secret and custom scope but any subsequent REST requests setting the authorization header with the access token do not work resulting in a 400 error with a status text of “Bad Request”.
If you’re trying to use Client Credentials flow to get an Access Token you can use against Okta’s APIs (what we call OAuth for Okta), make sure your application is configured for private_key_jwt auth.
Since you are trying to make a GET to /Users, make sure you request the okta.users.read scope. You can find the scope required for a given management endpoint request in our API docs, such as this one for the List all Users request.
So just to confirm, the okta client credentials grant type using a client id and client secret is not supported? This is a bit confusing as the docs Implement authorization by grant type | Okta Developer say otherwise.
Client Credentials grant with Client Secret auth is supported for use with custom authorization servers, which is what the guide you link to covers. The guide I linked to describes how to use Client Credentials grant type with the org authorization server, which is the one you will need to use in order to receive Access Tokens that can be used against Okta’s own APIs
Ok, thanks for the clarification. Is it possible to file a support ticket to outline this for future developers. I’ve done integrations with over a dozen various auth providers and this one burned me really badly.
Very fair point. I’ll submit a recommendation to our documentation team to update the “Implement authorization by grant type” guide to make this more clear.