How to use client_credentials for access users api

We need to create, deactivate and delete users in okta programatically and we are planning to use okta users api. Now we are not having the access to the apikey. Instead we are having client_credentials (client_id, client_secret). Please suggest how can we use client_credentials to get access users api.
We need to use oauth instead of apikey. Please suggest process.

You need to get an access token and then use it in your requests instead of SSWS ap_token (the header will be Authorization: Bearer access_token

Ok, but how exactly can we get access token. I mean which API call to be used exactly which takes client credentials and returns access token. Please suggest!

https://developer.okta.com/docs/reference/api/oidc/#token this is the endpoint you need. You submit your credentials through the header and get the token back

Many thanks Philipp! We will try it and post the results soon.

We tried it however we are facing challenges as we are not able to get the request correctly.

Request :

URL : https://mydomain.okta.com/oauth2/v1/token
Header : Accept:application/json, Authorization:Basic
Body : { grant_type:client_credentials, client_id:0oauq08tf2LifQvoi4x6, client_secret:<client_secret> }

Response:
Status : 400 (Bad request),
Body : {“errorCode”:“invalid_client”,“errorSummary”:“Invalid value for ‘client_id’ parameter.”,“errorLink”:“invalid_client”,“errorId”:“oaeu9-mG758TjiTPlfXDdlZ6Q”,“errorCauses”:[]},

What type of application are you using and is Client Credentials grant type allowed for it? This OAuth flow is only an option for Web and Service apps.

Something else I see that will be problematic with your request is that I don’t see you requesting any scopes for this token. In order to call Okta endpoints, the token must be granted the associated scope(s); for creating, deactivating, and deleting users, this will be the okta.users.manage scope.

Additionally, if you are looking to use a Service application to request tokens and use them to access Okta APIs, you will need to follow the steps in the following guide to create your application: Implement OAuth for Okta with a Service App

Hello Andrea,

I have the same situation, I need to list users and groups on the backend application calling the Okta Api but I can’t use an API Token and I can’t use a key pair with client credentials too (Information Security area policies).

So my options are:

Using an administrator read only account passing username/password to get the token.
My application type could be an web or service.

Do you have a tutorial describing how can I achieve my goal? I am using spring boot application.

Thank you.

In other words, I would like to reproduce in my code what I did in Postman using that was documented on this page: Get an access token and make a request | Okta Developer, without any user interaction (login), because how I said I need to do this on the server side, my microservice needs to list Okta users and groups.

At this time, the only way to use access tokens against these endpoints as a service app is to use client credentials flow with private key jwt auth.

Something you could try instead is to create a user as a stand in for a service account and use authorization code flow (and a Web app) to request tokens for this service account user. As long as they are granted high enough admin permissions for the requests you are looking to make, you should be able to use these tokens instead for your use case. This isn’t too dissimilar to what we suggest you do when using API Tokens for your integrations, as its not ideal for those set-ups to have a specific user tied to the API token as they can be deactivated/leave the company and you wouldn’t want your integrations to break because of this.

I did a little Spring Boot project showing how to do this: https://github.com/denisgmarques/okta-web-flow-user-password-admin-token

2 Likes

Hi @denisgmarques
Thank you for sharing the project.
I have tried to follow the same steps for getting the bearer token-
get session token → get authorization code → get access token
I am successfully getting the access token but whenever I try to use that token in another API such as getting the list of users, it always shows 401 Unauthorized :(.
Can you specify what configurations where there in your account as in whether it is web app or services app and what settings did you make for the apps, scopes and authorization server?
Thank you

What endpoint are you trying to send the token to? What scopes was it granted?

Hi Andrea,
I want to get the list of users so this was the API I was using- {baseURL}/api/v1/users with Authorization as Bearer access_token.
I didn’t specify any scope when making this API call but I have granted okta.users.read scope to the web app.
Also, one thing was different for me when compared to Denis. While getting the authorization code, he had passed okta.users.read as scope but when I try to do that, it gives me Invalid scope error. It works when I set it to openid.

I think I know why I am getting the error.
I am using custom authorisation server, and from what I’ve read, the access tokens generated from them can’t be used for Okta resource endpoints.

But I don’t know from where we can get to know the the base URL for the Org Authorization Server.

I want to implement the following things using Okta APIs-

  1. Get List of Users
  2. Get a User’s Group List
    The endpoints would be /users and /groups

This is to be done in the backend.

For this I know that we can use the API Token for Authorization, however I would prefer to use the access token using the authorization code flow.

I’ve tried what Dennis has done: get session token → get authorization code → get access token.
But as I mentioned before, the access token that I get from the default server is not working for the APIs.

If someone could suggest me a workaround for this, I would really appreciate it.

Hi Andrea,

How to set scope in okta developers account to access users api from React?

You don’t need to set-up any scopes yourself. They are already created for the Org Authorization Server. You should walk through our guides about how to request tokens you can use against Okta APIs to ensure you are using the right server: Implement OAuth for Okta | Okta Developer and Implement OAuth for Okta with a service app | Okta Developer

You don’t need to set-up any scopes yourself. They are already created for the Org Authorization Server

The custom (or default) Authorization Server (https://xxx.okta.com/oauth2/defalt/v1/token) has only basic scopes like email, openid, profile. It doesn’t have and doesn’t allow creating an API scopes like okta.users.read.
This name is reserved. Must not start with ''okta.'' or ''okta:'' and must not be only ''okta'' or ''*''.

The Org Authorization Server doesn’t allow querying by the Web App:
URL: https://XXX.okta.com/oauth2/v1/token
Response: Only clients with 'application_type' of 'service' may use the client_credentials 'grant_type' with the Org Authorization Server

Right, you can only use client_credentials flow with a service app using private_key_jwt for auth, Implement OAuth for Okta with a service app | Okta Developer

You cannot use Okta API scopes with a custom AS, you must use Org, so if you want to use client_creds flow, you need to make a dedicated API Services app and configure it as per our guide. Web/SPA/Native apps can use only use user-based OIDC flows to get tokens (implicit, auth code, password grant)