Hi, I am building a dotnet daemon application. My understanding is that for such an application, the correct App Integration category to be used is API Services (since this will be a machine to machine communication). However, when I try to use my clientIdclientSecret pair against oauth2/v1/token in order to request an access token which will then be used to fetch the groups of my organization I get
"error": "invalid_client",
"error_description": "Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."
I have not managed to find any documentation on how to fix this, if anyone has any pointers in Okta docs they would be much appreciated!
For whatever reason it looks like you can’t do a normal shared secret client_credentials exchange with the organization token endpoint. Also the public/private key management stuff they mention in the following docs is hidden behind a Early Access toggle (Admin Dashboard → Settings → Features → Early Access → OAuth2 Secrets and Keys Management).
It sounds like you need access to custom authorization servers for this use case. In the article above, the Client Credentials flow using the Org authorization server generates tokens to be used with the Okta API.
The Client Credentials flow never has a user context, so you can’t request OpenID scopes. Instead, you must create a custom scope. See the Scopes section of the Create a Custom Authorization Server guide for more information on creating custom scopes.
I thought so initially as well but as far as I understand, in order to access Okta resources (as the Groups of an organization), you need to use the built-in Okta Authorization Server - not a Custom one.
Indeed I got it working with the built in AS.