Hey @mksmanjit,
I’m going to piggy-back on some of the responses here - as I think the correct approach has already been discussed. But let me try and reiterate a few things.
Since you’re looking for no “manual intervention”, you have two possible solutions:
Use the resource owner password flow
Based on how much control you have over your app - this might be the best option for you. Here, you’ll need to embed your clientId and clientSecret into your application to make calls to the /token endpoint as you mentioned before. This flow isn’t recommeneded for Single-Page Apps, or anything considered a public client (see client types in the OAuth 2.0 spec).
Use the sessionToken flow
As mentioned earlier, you can leverage the Okta sessionToken to bootstrap your login flow. Essentially:
- Submit user credentials to
/api/v1/authnto receive asessionToken - Perform the
/authorizecall using thesessionTokenand setting thereponse_type=code - Once the
codeis returned, exchange it for anaccessTokenvia the/tokenendpoint
Both flows only require the user credentials - and do not require using a browser and/or any “manual intervention”.
Hope this helps!