We are investigating how to implement REST API security with Okta through OAuth in our applications. My understanding is that the appropriate OAuth flow for this is client credentials (e.g. if users want to access an API in an automation script).
How can we have separate credentials for separate users wanting to consume the API? Always giving out the same set of clientID and secret seems like a risky practice.
If I look at how this is solved by other companies I see them giving out API credentials per user in their GUI but I don’t see how I can achieve that in Okta OAuth apps.
You can create as many client_credentials apps as you need, if you really doing machine-to-machine interaction. But if it’s a user, then you can ask them to obtain an access token through some user flows and then to use the token in the script as they like. You can build your own GUI for this purpose if you want to be super friendly to your testers
Isn’t there a better solution to this? It seems not really practical to create OIDC Okta applications for every instance where we want to give out something that conceptually is an API token.
Well, to be honest I’m not aware about something out of the box to support that. But as I suggested, you can build your own UI to issue people with access tokens for this purpose. Should not be too complicated