I am trying to implement an Machine to Machine authorisation flow to generate an access token from a Service account for use with a SPA app.
I have created the Service account that uses client_credentials, setup an Authorisation server and created a custom scope. In the Authorisation server the access policy is set to both the service account and SPA app. I can request an access token using the service account Client Id and Secret, if I try and use this returned token to access the SPA app resource I get a 401 unauthorised.
What am I missing here? There is no obvious way to assign permission to the SPA app I have found and the documentation is really vague, any assistance will be much apreciated.
Ended up working this out, for requests to be accepted from the access token retrieved by the service account the application must have a grant type of client_credentials.
In my case where the front end is React and the backend was .Net core I needed 2 applications + the service account.
React: Has a SPA app on Okta with an implicit grant type
.NET Core: Is a web application on Okta with both implicit and client credential grant types.
Service account: Tokens retrieved for the service account can then be used to access the .NET web app as it has the same authorisation server.
This is not an intuitive flow when you’re used to something like Azure AD but it does work provided all 3 apps use the same authorisation server and the same audience.
