How to fetch the access code or access token from okta client application of WEB type by directly passing username/password in the POST request

Below are the steps that I have done -
Step-1)As per the documentation on okta site, I already have created okta web client application . I am using Postman for API calls.

Step-2)Using ‘Authorization Code Flow’ I am able to fetch the Access Code using “Authorization_Server/authorize” end point. Below sample POST request is redirecting me to the okta sogn-in page where I am providing the username / password and then receiving the Access code in browser. Please refer below sample post request.


Step-3)Using this access code,I am able to fetch the Access Token using “Authorization_Server/authorize” end point. Please refer the below sample POST request -

Step-4) Using this Access Token, I am able to complete authentication process for the intended resource in spring boot application.

My actual requirement is to fetch Access Code (as mentioned in Step#2) by directly providing username/password in the POST request thus eliminating the redirection to okta sign-in page .
Since for Web okta application client, Resource Owner Password is not available so I cant use grant_type as Password (along with username and password) in Post request

Is there any way to use okta WEB application client to get Access Token by directly providing users credential (username/password) in the POST request (eliminating okta sign-in page redirection in browser).
I am able to achieve this using Native app (by providing username and password for grant_type as password in POST request) but I need to work with Web app.

You are able to avoid the user interacting directly with Okta, but Auth Code flow will always involve invoking the authorize endpoint and the use of Resource Owner Password flow is not recommended except as a last resort.

Something you may want to look into is combining the primary authentication flow (/authn endpoint) with the authorize request you make.

  1. You can send the user credentials to the authn endpoint and once they are authenticated, you will receive a sessionToken.
  2. With the sessionToken, you can make an authorize request that will not result in the user being prompted (unless you have an MFA policy for that application, of course) and they will instead be immediately redirected to the redirect_uri provided as they are already logged in thanks to that /authn request.
  3. Then you just need to complete the rest of the flow and make a call to the /token endpoint.