Client_credentials with application_type as web

Hi,

I have created an application that accepts grant_types as both authorization_code and client_credentials. Application type has been set as “web”. However, when I try to retrieve the token I get an error saying “Only clients with ‘application_type’ of ‘service’ may use the client_credentials ‘grant_type’ with the Org Authorization Server.”

The documentation says that " client_credentials with a web Application type allows you to use one client_id for an Application that needs to make user-specific calls and back-end calls for data."

Can someone please let me know how do I use this OAuth 2 grant type of client_credentials with application type of web?

Thanks

Hi @ashfaq

You will need to use a custom authorization server created through API Access Management feature for issuing access tokens that are not user bounded. For this, please navigate in your administrative dashboard to Security >> API >> Authorization Servers (or API >> Authorization Servers if using the Developer Console), copy the issuer for the authorization server that you will be using and add it in your application. The requests should forward now to something similar to https://yourOktaOrg.okta.com/oauth2/default/v1/token or https://yourOktaOrg.okta.com/oauth2/auss64hoq4PQUNXGa2p6/v1/token. Please note that you will need to create a custom scope from within the authorization server that will need to be passed in the request to the /token endpoint as mentioned here.

Alternatively, if you do not see the Authorization Servers tab, you can implement OAuth for Okta client credentials flow which uses one of the scopes available here for issuing access tokens using the Okta authorization server.