Is API Access Management feature required for client_credentials flow?

trvish · March 5, 2021, 7:40am

I want to use the client_credentials flow to obtain a server side access token that can be used for fetching the user profiles of all users in the Okta instance.

I created an OAuth Service app, granted the okta.users.read scope for the app and then tried to use the client credentials flow:
curl --request POST --url https://.okta.com/oauth2/default/v1/token --header ‘accept: application/json’ --header ‘Authorization: Basic …’ --header ‘cache-control: no-cache’ --header ‘content-type: application/x-www-form-urlencoded’ --data ‘grant_type=client_credentials&scope=okta.users.read’ -v

This returns an error response:
{“error”:“access_denied”,“error_description”:“The requested feature is not enabled in this environment.”}

Why does this error occur? Does the “API Access Management” feature need to be enabled in order to use the client credentials flow?

Fuzzard · March 5, 2021, 3:00pm

API access management is not required as you do not need to use a custom authorization server

the POST request needs to be done on oauth2/v1/token and not /oauth2/default/v1/token, which is a custom authorization server’s token endpoint

erik · March 5, 2021, 9:01pm

Note that if you are doing a client credentials flow with the Org Authorization Server your application will need to be a public/private key app. You will not be able to use basic auth with a client secret. Instructions for setting this up can be found here.

system · February 6, 2024, 11:14pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.