In my dev org, the Org Authorization Server (/oauth2/v1/token) rejects client_secret with a private_key_jwt requirement, even when my API Service app is set to ‘Client secret.’ Is this an org-wide policy? How can I enable client_secret?”
An error has occurred. (System.Exception)
Failed to obtain OAuth token: Unauthorized - Unauthorized. Details: {“error”:“invalid_client”,“error_description”:“Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.”}
When you use client_credentials grant with Org auth server, you will be able to request Okta scopes. private_key_jwt is the only authentication method allowed when using a service app for requesting Okta scopes.
The private_key_jwt client authentication method is the only supported method for OAuth service apps that want to get access tokens with Okta scopes.
If you want to use client_credentials with a custom authorization server which protects your resource server, you could set your own constraints and allow client_secret_basic or client_secret_post.
Our Client is using Okta and want us to use SSO to login our WebSite which is .Net Web Applicaiton.
We want to make sure user exist in their okta setup before creating that user in our web application. how can we achieve this?
If you are trying to provision users in your dotnet web application, you can either
JIT - Integrate your app with Okta through protocols such as OIDC or SAML and use just in time (JIT) provisioning based on the user claims you receive from Okta during user login or
AOT - You can use protocol like SCIM or use Okta endpoints like how you are trying to do (but with private key JWT) to load user details into your system ahead of time (AOT)
I am working on integrating Okta into Sailpoint, explicitly trying to set the status attribute of a user in Okta using an HTTPS call.
In this case, I have a restriction in one of my UI, to use client credentials grant type with Client id and client secret.
The Okta team has generated clientID and clientSecret but when i try to make a call via postman to generate the access token, I get the below error:
{
"error": "invalid_client",
"error_description": "Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."
}
Does this mean that, its not possible to use client id-secret way of minting access token?
@vbham - Okta provides two types of authorization servers org auth server and custom auth server. Org auth server can be used to access Okta’s management endpoints such as managing users, groups, apps, etc. Read this for detailed info on the topic.
The private_key_jwt requirement is only applied when you request token from org auth server. So if you want to request Okta scopes and/or work with Okta management endpoints, you have to use private_key_jwt auth.
Client secret or private_key_jwt auth can be used with custom authorization server.