Fetch Groups in a daemon application

Hi, I am building a dotnet daemon application. My understanding is that for such an application, the correct App Integration category to be used is API Services (since this will be a machine to machine communication). However, when I try to use my clientId clientSecret pair against oauth2/v1/token in order to request an access token which will then be used to fetch the groups of my organization I get

"error": "invalid_client",
"error_description": "Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."

I have not managed to find any documentation on how to fix this, if anyone has any pointers in Okta docs they would be much appreciated!

1 Like

For whatever reason it looks like you can’t do a normal shared secret client_credentials exchange with the organization token endpoint. Also the public/private key management stuff they mention in the following docs is hidden behind a Early Access toggle (Admin Dashboard → Settings → Features → Early Access → OAuth2 Secrets and Keys Management).

It sounds like you need access to custom authorization servers for this use case. In the article above, the Client Credentials flow using the Org authorization server generates tokens to be used with the Okta API.

The Client Credentials flow never has a user context, so you can’t request OpenID scopes. Instead, you must create a custom scope. See the Scopes section of the Create a Custom Authorization Server guide for more information on creating custom scopes.

Note : Okta’s Developer Edition makes most key developer features available by default for testing purposes. Okta’s API Access Management product — a requirement to use Custom Authorization Servers — is an optional add-on in production environments.

Indeed, followed this and it worked. Ended up using the Okta SDK to simplify the signing process. Thank you!

I thought so initially as well but as far as I understand, in order to access Okta resources (as the Groups of an organization), you need to use the built-in Okta Authorization Server - not a Custom one.
Indeed I got it working with the built in AS.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.