In my dev org, the Org Authorization Server (/oauth2/v1/token) rejects client_secret with a private_key_jwt requirement, even when my API Service app is set to ‘Client secret.’ Is this an org-wide policy? How can I enable client_secret?”
An error has occurred. (System.Exception)
Failed to obtain OAuth token: Unauthorized - Unauthorized. Details: {“error”:“invalid_client”,“error_description”:“Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.”}
When you use client_credentials grant with Org auth server, you will be able to request Okta scopes. private_key_jwt is the only authentication method allowed when using a service app for requesting Okta scopes.
The private_key_jwt client authentication method is the only supported method for OAuth service apps that want to get access tokens with Okta scopes.
If you want to use client_credentials with a custom authorization server which protects your resource server, you could set your own constraints and allow client_secret_basic or client_secret_post.
Our Client is using Okta and want us to use SSO to login our WebSite which is .Net Web Applicaiton.
We want to make sure user exist in their okta setup before creating that user in our web application. how can we achieve this?
If you are trying to provision users in your dotnet web application, you can either
JIT - Integrate your app with Okta through protocols such as OIDC or SAML and use just in time (JIT) provisioning based on the user claims you receive from Okta during user login or
AOT - You can use protocol like SCIM or use Okta endpoints like how you are trying to do (but with private key JWT) to load user details into your system ahead of time (AOT)