Per this response I should use the token api, and not authorize since I am doing this all in backend. The problem is that I have tried that one also, and cannot authenticate. If I use SSWS and pass in client_id then I’m still prompted for a username/password (which still doesn’t seem to work):
POST /oauth2/v1/token HTTP/1.1
Host: MYORG.oktapreview.com
Authorization: SSWS MYTOKEN
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=password&username=URLENCODEDUSER&password=PASSWORD&scope=[offline_access]&client_id=MYCLIENTID&client_secret=MYCLIENTSECRET
And if I try to remove client_id and secret, Base64ing MYCLIENTID:MYCLIENTSECRET and using Basic BASE64OUTPUT then I get an automatic failure