How to generate user specific token for server-server integration?

Hi Everyone,

I am trying to get an access token to make calls from Salesforce to my webapp using Okta as Idp. Based on the Salesforce logged in user, the access token has to be generated. For this, I will be using the Salesforce user’s email id or userid as the “sub” in the JWT. I will then use this token to call my Web App.

Unfortunately, I did not find an article to help me with the configuration.

However, I did follow this article to generate a App specific token (Implement OAuth for Okta with a service app | Okta Developer) but I need a user specific one.

Is it possible for me to get an access token from Okta without having the user to login again?
Can someone please point me to the documentation on this?

Thanks in Advance!

You cannot use Client Credentials grant type to receive user specific details, as only the client credentials themselves (Client ID and Client Secret) are needed to authenticate the request for tokens. For most user based OAuth use cases, Authorization Code Flow (w/ PKCE if your application does not have a backend to secure a secret) is the recommend grant type to use instead.

If the user already has an Okta session (and they are not required to complete additional authenticator verification in your application’s assigned Authentication Policy), then the /authorize request will succeed immediately and user can receive tokens without re-authenticating with Okta.

Thank you for your reply.

The Authorization code flow requires the user to sign in to okta, is there a way the Logged in user can get a token from Okta without having to sign in again?

For example, a user has signed in to Salesforce using Salesforce username and password. Now this logged in user requires an access token from Okta to make a request to a Web App. Is it possible to get an access token without human intervention?

Thats what I was alluding to: If the user already has an Okta session, they don’t need to sign in again. But if they are only logged into Salesforce directly (not through Okta), then they don’t have an Okta session and would need to authentication (not re-authenticate, as they have not authenticated against Okta yet).

Thank you for your reply Andrea.

Got it, I tried the setup without PKCE. It works with an active Okta session. Do you have any documentation around how to set this up with PKCE in Salesforce?

Thanks!

Specific to Salesforce, no. It should be as simple as executing an /authorize request (note that you will want to make a dynamic code_verifier/code_challenge pair for each request) and then taking the auth code you get back and send it back to Okta’s /token endpoint in a POST, along with the code verifier.

What did you manage to get working without PKCE? Just the /authorize request itself?

Currently I have not written code to make explicit calls to Okta, Salesforce takes care of it.

I followed this article:

As next step, I want to write the code for this so I was looking for articles that do this on Salesforce, how to get the code after login.

From this documentation Implement authorization by grant type | Okta Developer, the interaction code flow doesn’t require an active user session with Okta right? Is it possible for client to provide the interaction code to Okta with a user’s username to get a token without having the user to Sign In? If there are no remediation steps.

I need to get an access token from Okta for Guest user who doesn’t have to login to Okta at all.
Does Okta have Help And Training Community ?

I’m not sure I fully follow how Salesforce supports this use case based on that article, beyond that it uses client_secret_jwt client authentication, with the sub representing the target user. Which no, Okta does not support.

The closest thing I can think of is the On-Behalf-Of Token Exchange, but that would still require that there be a token issued to a user that could be exchanged for a token issued to a service app, so I don’t think that will help you for users who have not logged into Okta.