I’ve followed the instructions for setting up client credentials grant including a custom scope.
I can successfully retrieve an access_token using the client id, client secret and custom scope but any subsequent REST requests setting the authorization header with the access token do not work resulting in a 400 error with a status text of “Bad Request”.
I’ve gone through the app creation and scope creation processing multiple times following the directions as documented here: Implement authorization by grant type | Okta Developer
Is there something I am missing here?
What types of requests are failing? What endpoint are you sending the access token to?
Hi Andrea and thanks for your response. Let me know if you need the tenant id or client id.
curl -X GET 'https://dev-[tennant id].okta.com/api/v1/users' --oauth2-bearer $token.access_token$
If you’re trying to use Client Credentials flow to get an Access Token you can use against Okta’s APIs (what we call OAuth for Okta), make sure your application is configured for private_key_jwt auth.
More information about how to set up the app and request a token can be found in our guide here: Implement OAuth for Okta with a service app | Okta Developer
Since you are trying to make a GET to /Users, make sure you request the okta.users.read scope. You can find the scope required for a given management endpoint request in our API docs, such as this one for the List all Users request.
So just to confirm, the okta client credentials grant type using a client id and client secret is not supported? This is a bit confusing as the docs Implement authorization by grant type | Okta Developer say otherwise.
Client Credentials grant with Client Secret auth is supported for use with custom authorization servers, which is what the guide you link to covers. The guide I linked to describes how to use Client Credentials grant type with the org authorization server, which is the one you will need to use in order to receive Access Tokens that can be used against Okta’s own APIs
This guide goes into more detail about the differences between the types of authorization server: Available authorization server types | Okta Developer
Ok, thanks for the clarification. Is it possible to file a support ticket to outline this for future developers. I’ve done integrations with over a dozen various auth providers and this one burned me really badly.
Very fair point. I’ll submit a recommendation to our documentation team to update the “Implement authorization by grant type” guide to make this more clear.