Obtain user access token to use with Okta secured API

What is the best practice to allow an Okta user to generate an access token to be used with our custom API that has been secured using Okta? Access must be limited to the same scopes they have via the Okta WebApp. The use case is we want to allow our users to use WebApp or our API to gain access to content.

The only option i can see is to use Client Credential flow but that appears to be an administrator level integration.

Hi @amcneilly usually you’d setup some of your own new scopes, relevant to your API, in a custom authorisation server (not default). Okta’s scopes are meaningless to your API.

Do you have a use case where the same token needs to work for both Okta’s API and your own API? If so, you’d setup the new relevant scopes on the default auth server and the client would request both your and the Okta scopes when commencing authcode with pkce authentication.

1 Like

My core use case is enable my Okta org users to obtain long running api keys (or tokens) to access the my own API?

I can setup an API token but that is global and has administration access. I could allow the user to export the WebApp JWT token but that is short lived and i need 3-6 months. I was looking at the oAuth redirect flow but is not relevant as my users would use a machine - to machine flow. I require for each API access key to have the same permissions as the user that is using the api key.