Custom Connector client_credentials flow

I have an API that requires an access token, which can be obtained using the following request:

Access Token Request

curl --location 'https://test.com/v2/oauth2/clientcredentials/accesstoken' \
--header 'Accept: application/json' \
--header 'x-apikey: abcd' \
--header 'Authorization: Basic sdfdsbbvdd==' \
--header 'grant_type: client_credentials'

Response

{
    "token_type": "BearerToken",
    "issued_at": "1741951640345",
    "access_token": "SdLUzPZ0Q8EqsWGnSq3PYVyuFbXN",
    "scope": "",
    "expires_in": "1799",
    "status": "approved"
}

Once the access token is obtained, I need to use it for a second API request:

Second API Request

curl --location --globoff 'https://test.com/testservice/api/v1/guests' \
--header 'Accept: application/vnd.api+json' \
--header 'Authorization: Bearer SdLUzPZ0Q8EqsWGnSq3PYVyuFbXN' \
--header 'x-apikey: abcd'

Questions:

1. How can I configure a Custom Connection Builder for this flow?
2. What authentication method should I use, given that Basic Auth did not return an access token?
3. How can I extract the access_token from the API response in an automated way?
4. If using OAuth 2.0 Client Credentials Flow, how do I pass Username:Password in Base64 encoded format in the first request?

Any insights or guidance would be greatly appreciated!

Screenshot 2025-03-14 at 9.19.35 PM2406×1564 258 KB

Hi @sachin34,

Can you share what API you use?

How can I configure a Custom Connection Builder for this flow?

A connector consists of several flows:

• A flow to make HTTP requests.
• A flow to check authentication to the service is working.
• One or more action flows. Each action flow calls a service’s API endpoint.
  We have a tutorial showing how to build a custom connector to Spotify. It uses an Authorization Code instead of Client Credentials, but the general steps will be similar.

What authentication method should I use, given that Basic Auth did not return an access token?

Use Basic authentication since that’s what the first API call uses to request an access token.

How can I extract the access_token from the API response in an automated way?

You will use a connection to get the access token.

A connection you use for testing the connector (in the Connector Builder) will be listed under Test Connections.

When building a flow, a user using your connector will create a connection (like they do today with any action card).

If using OAuth 2.0 Client Credentials Flow, how do I pass Username:Password in Base64 encoded format in the first request?

The connection will pass the Client ID and Client Secret as username:password (in Base64).

Screenshot 2025-03-14 at 9.32.12 AM2434×1212 221 KB

Thank you @maxkatz for your response,

I have a private API used internally within my organization. My understanding of setting up the connection for the connector builder is to bypass the authentication call. However, since my API uses Basic Auth and I cannot extract the access token directly, I now need to handle it manually.

My approach is to create an httpHelper flow that:

1. Calls the first API to extract the access token.
2. Manually creates a header object with Bearer <access_token>.
3. Triggers the second API using the generated header.

I was exploring whether there’s a way to avoid making two API calls in this scenario.

Hi @sachin34,

Can you call your API from the Internet? You can only call a public API in Workflows.

Maybe we first call your API using the API Connector card.

Can you share the docs for the API?

I highly recommend you read Understanding Okta Workflows Connectors to learn about various options for calling APIs in Workflows.

Yes, the API is accessible over the internet and is secured behind Apigee. To access it, we first call Apigee’s authentication endpoint using the X-ApiKey to obtain an access token. This access token is then used to make a second API call to /testservice.

Sure @maxkatz Will go through the documentation which you suggest, Thank you so much for your help

This helps.

Then, you would set up Authentication in the connector:

image2452×1226 214 KB

Then, you can start building the first connector flow: httpHelper.

The connector will pass the connection information (the token) to this flow, and you can make the API call.

image2142×1106 222 KB

HI @maxkatz , I attempted to set up authentication in the connector using the client_credentials flow. However, my initial authentication call requires a header with the key "Authorization" and a value in the format "Basic <Base64-encoded username:password>".

In the client_credentials flow, the connection sends the Client ID and Client Secret as username:password in Base64 encoding.

Could you try Basic Authentication
https://help.okta.com/wf/en-us/content/topics/workflows/connector-builder/authentication-basic.htm?

Yes @maxkatz Basic Authentication works, but is there a way to extract the access token from the response?

You are correct. Basic won’t work here.

When you tried client_credentials, did you set the ‘Client Authentication Type’ to ‘Send as basic auth header’?

image1034×516 27.5 KB

Can you share the request the connection sends and the error message?

Yes @maxkatz , i set the ‘Client Authentication Type’ to ‘Send as basic auth header’ , but somehow i am unable to make the connection, Error is : Failed to connect, Not sure where can i debug the request & response

I successfully set up an OAuth 2.0 (Client Credentials) connection to Spotify. I received an access token and made an API call.

This is my connector’s connection:

image2194×960 127 KB

For testing, you need to set up a connection:

image2216×874 38.9 KB

image1256×1180 38.2 KB

I get the access token inside the httpHelper flow:

image1600×852 64.1 KB

Can you share your set up screenshots?

Hi @maxkatz , Thank you so much for your response in this,

my requirement for obtaining an access token is as follows:

curl --location --request GET ‘https://test.com/v2/oauth2/clientcredentials/accesstoken’
–header ‘Accept: application/json’
–header ‘x-apikey: ’
–header ‘Authorization: Basic <Base64(client-key:client-secret)>’
–header ‘grant_type: client_credentials’

Using basic authentication, as shown in the screenshot below, I am able to establish a connection.

Screenshot 2025-03-18 at 5.54.37 AM2956×768 99.3 KB

Screenshot 2025-03-18 at 6.10.54 AM1206×1448 57 KB

Screenshot 2025-03-18 at 6.09.12 AM2956×768 85.9 KB

However, with this authentication type, there is no way to extract the access token from the response.

I need to understand how to set the header values in this approach. Where can I specify custom header values such as x-apiKey and grant_type in the OAuth 2.0 (Client Credentials) flow?
I tried the following approach but failed to establish the connection. The error suggests that the headers were not set correctly.

Screenshot 2025-03-18 at 6.15.57 AM1206×1448 60.1 KB

Screenshot 2025-03-18 at 6.16.16 AM1206×1448 73.4 KB

Hi @sachin34,

You shouldn’t need the ‘grant_type’ parameter.

Did you try placing the ‘x-apikey’ under Config Values?

Yes @maxkatz , I tried but failed to establish the connection. Upon debugging, I found the following error:
Unauthorized-Failed to resolve API Key variable request.header.x-apikey

I will find out what’s the correct format to send the extra header parameter.

Hi @sachin34,

I found out more about this.

The above request, with the x-apikey header, appears to be a non-standard OAuth and the Connector Builder doesn’t support it.

You can add the API key parameter, the request will inlcude it in the body:

image2332×1122 193 KB

You will have access to in a flow:

image1572×942 67.7 KB

Thank you @maxkatz, really appreciate you looking into this.