How to use Client Credentials flow with SPA for integration tests?

I have a SPA setup, and I’m trying to get server-side integration tests to work with Okta. Normally users get a token via PKCE, then pass it to the API in a header. Now I’m working on adding integration tests to the API, and I’d like for them to use the same authentication logic as normally happens. That way, all the auth logic is exercised by the tests. However, it looks like it’s not possible to use the Client Credentials flow with a SPA. Is that correct?

I know I could create a separate application for the integration tests, but then that adds complication to my API because the okta libraries only work with one clientID, so I’d have to add logic to do a separate auth flow for the integration tests. What’s the best way to do this?

Hi @daniel.stone,

That’s right, you cannot use client credentials flow for an application of type SPA.

You could probably use a tool like this to get tokens without involving a browser.

This article walks through the API calls that can be done using curl commands/postman without a browser.

Yeah, I know I could implement PKCE via the command line, but it’s really the wrong flow for the job. It would be a lot better if Okta didn’t segregate the auth types into separate applications.

For this particular case, we ended up not using okta for integration tests and instead spinning up a fake auth server that we can control while the tests are running. We then added that fake auth server to our API’s list of issuers when the API is running the tests. The tests can then get a token via the fake auth server.