Must use the private_key_jwt token_endpoint_auth_method?

I’m trying to figure out if the Okta documentation is incorrect OR i’m making some error in my calls. I’m following Build an API service integration | Okta Developer and it has a base64 id/secret Auth passed, but i’m finding this is rejected using the curl commands and Python Authlib library.

Both are returning {"error":"invalid_client","error_description":"Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method."} which is confusing as that to me implies it’s expecting a different auth mechanism.

I checked my app and it’s appears configured for the guides auth setup.

It seems you are making request to Okta Org AuthZ server. I believe when using client_cred flow with Org AuthZ server you need to use private_key_jwt authentication method. You will have to reconfigure your client in such case

1 Like

That what it appears, which differs with the App settings and official guides. It does seem odd the implementation would differ from the docs/settings (i’d assume this is a normal app to app flow).

I’m trying to find some documentation that makes that clear, because tons of stuff just references the token endpoint with that auth scheme :slightly_frowning_face:

The problem is that you are trying to call Org AuthZ server. It that were custom AuthZ server then everything will be working for you. What is your requirement, do you need to go against Okta Org one or custom one?

Here is the article covering steps required for Okta Org AuthZ server with client_creds app Implement OAuth for Okta with a service app | Okta Developer


Okta support ticket solved this - their documentation is out of date. They recommended Implement OAuth for Okta with a service app | Okta Developer which states The Client Credentials grant flow is the only grant flow supported with the OAuth 2.0 service app when you want to mint access tokens that contain Okta scopes. which although conflicts with their other information, is the answer and path forward.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.