Hey! I am new to Okta and recently setup an App of type ‘Web’ and got it working flawlessly in my OIDC/OAuth 2 Authorization Code flow. However, I also have a need for server to server and need to hit the groups API. There is a “Client Credentials” option on the App, so I thought it would work.
EX: https://***.okta.com/api/v1/groups
However, I get an “Invalid Session” trying to hit the API directly with Base64 client id / secret creds.
When I try to trade those creds in for a token using the “oauth2/v1/token” endpoint, I get this error:
“Only clients with ‘application_type’ of ‘service’ may use the client_credentials ‘grant_type’ with the Org Authorization Server.”
I assume that I will have to create a second App of type Service, which is less than ideal. Is this supposed to work and I have something configured incorrectly? If not, what is the “Client Credentials” checkbox on a Web app meant to do? Is there any way to get this working with one app?
If you are trying to get Access Tokens that you can use against Okta’s API endpoint, include /api/v1/groups, then the only way you can use Client Credentials grant type to receive these tokens is if the Client Authentication method is set to private_key_jwt and the process described in our guide here is used to receive said tokens from the built-in Org Authorization Server. Use of client_secret_basic or client_secret_post authentication methods are NOT supported for this use case.
That said, if your org has the ability to use a Custom Authorization Server, Client Credentials flow using client_secret_basic or client_secret_post authentication is supported when requesting tokens from that custom authorization server. Note that you cannot use tokens issued by a custom authorization server against Okta Admin Management endpoints (e.g. /api/v1/groups)
So, yes, if your Web application needs to use client_secret_basic or client_secret_post and you also need to be able to use OAuth tokens against Okta’s own APIs, then you will need a separate API Services application configured for private_key_jwt
To add more details on @andrea‘s response, since you’re looking to support user-facing authentication with an auth code, plus machine-to-machine connections with Okta resources in one Okta app, you’ll no longer have a client secret to use for the code flow. Instead, you’ll use the private key jwt in your calls to /tokens endpoint.
Please let us know how it goes or if you need anything else!
If you need to get tokens programmatically using the Client Credentials grant type (M2M style), then the only option is private_key_jwt.
If you instead have users in your application that are Okta admins and therefore would have sufficient permissions to manage these resources, then these users can request tokens with okta admin scopes using any other oauth flow and client authentication method.
