Okta grant type in client credential flow

Hi,

In client credential grant flow with JWT token, if we are using an JWT assertion in request body to get an access token then why the grant_type is client_credentials and not jwt-bearer.
https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/get-access-token
Please correct my understanding if i misunderstood anything.

1 Like

Hi @ananddhage! Service apps must authenticate with grant type=client_credentials please see 4.4 Client Credentials Grant.

Like @sigama mentioned, If you are using a Service application and implementing Client Credentials flow, the grant_type will always be client_credentials.

What you’re asking about is not about the grant_type, but the client authentication needed to request tokens for this application. Per the guide you linked to, in order to use a Service app to get tokens to use against Okta APIs (with Okta API scopes), the service app you create will use private_key_jwt client authentication, but the grant_type will still be client_credentials as that indicates what OAuth flow you are using.

Because private_key_jwt is being used for client authentication in a Client Credentials OAuth flow, you are passing those client_assertion_type and client_assertion parameters along in your request body, as shown in the example on that page:

    curl -X POST "https://{yourOktaDomain}/oauth2/v1/token"
    -H "Accept: application/json"
    -H "Content-Type: application/x-www-form-urlencoded"
    -d "grant_type=client_credentials \
    &scope=okta.users.read \
    &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
    &client_assertion=eyJhbGciOiJSUzI1…..feCJfSqsJeEKGjJqp1accnXpPbCSi1-2UQ"