Custom Web application with OKTA REST API Integration

Questions OAuth/OIDC
1

Hey please help me?

Here i am try to set the user login using /oauth2/v1/authorize API but after this url hit by index.php then a okta page is loading instead of calling redirect url!

index.php:

// Obtain the authorization code
$authUrl = “https://trial-12345.okta.com/oauth2/v1/authorize?” . http_build_query([
‘response_type’ => ‘code’,
‘client_id’ => $clientId,
‘redirect_uri’ => ‘http://localhost/abc/callback.php’,
‘scope’ => ‘openid email profile’,
‘state’ => ‘Bo234’
]);

header("Location: $authUrl");

Actual O/P:
https://trial-12345.okta.com/oauth2/v1/authorize?response_type=code&client_id=0oaikagga65TFGhjkjcgjhgt3697&redirect_uri=http%3A%2F%2Flocalhost%2Fabc%2Fcallback.php&scope=openid+profile+email&state=Bo234

Expected O/P:

authorization_code

So, do we have any other option to receive access_token without redirecting to okta using REST API?

3

The behavior you’re seeing is actually the expected flow for the Authorization Code grant type:

  1. Your code redirects the user to Okta’s /authorize endpoint.
  2. Okta presents a login page to authenticate the user.
  3. After successful authentication, Okta would redirect back to your callback.php with the authorization code.

This flow is designed to be interactive and requires user authentication through Okta’s interface.

If you need to obtain an access token without user interaction or redirection, you can go with →

Client Credentials Flow:

This flow is suitable for machine-to-machine authentication where you don’t need a user context!

4

Thank you for your response @SitaRam

I guess the Identity engine is revoked the “Resource owner grant type” flow. anyway I have followed the method you approached, below the response showing client_credentials not allowed but i have configured client_credentials for my application.

$oktaDomain = ‘https://your-okta-domain.okta.com’;
$clientId = ‘your-client-id’;
$clientSecret = ‘your-client-secret’;
$tokenUrl = $oktaDomain . ‘/oauth2/default/v1/token’;

// User credentials
$data = [
‘grant_type’ => ‘password’,
‘username’ => ‘admin@dnz.com’,
‘password’ => ‘Vision@2020’,
‘scope’ => ‘openid profile’ // Adjust scopes as needed
];

// Initialize cURL
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $tokenUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_USERPWD, $clientId . ‘:’ . $clientSecret);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

// Execute the request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
echo ‘Error:’ . curl_error($ch);
} else {
// Decode the response
$responseData = json_decode($response, true);
if (isset($responseData[‘access_token’])) {
echo 'Access Token: ’ . $responseData[‘access_token’];
} else {
echo 'Error: ’ . print_r($responseData, true);
}
}

// Close cURL session
curl_close($ch);

API Response:

Error: Array ( [error] => unauthorized_client [error_description] => The client is not authorized to use the provided grant type. Configured grant types: [authorization_code, client_credentials]. )

5

The client credentials grant type is not compatible with the /authorize endpoint. Instead, you need to make a direct API call to the /token endpoint with this request body:

  • grant_type: client_credentials
  • client_id: [your client ID]
  • client_secret: [your client secret]
  • scope: [desired scope]

If you specifically need to use the /authorize endpoint, you’ll have to implement a redirect model. This involves using the Okta-hosted sign-in widget, where users can enter their username and password for authentication.

Please refer to my earlier comment for difference btw client_credentials and Authorization Code grant type!

6

Hi there @Natraj619 !

It looks like you want to create a web application with user signin based on your scopes. Is that correct? If so, you use the Authorization Code flow. If you don’t require a user to sign in, then the Client Credentials flow is correct. I’ll include some resources:

For PHP web apps with user sign-in, you may find this sample project helpful

Happy coding and let us know if you have any questions!

2 Likes
7

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.