I am using okta Widget to login to application. Then, after login to application, the user can update his password. To update password, I thought of using Users Okta API - Change password. But this requires SSWS apikey to do it. It means a new Okta API token would need to be generated for my needs in Okta → Security → API token
I was advised by our Okta admins to add new application - API Services and use client and secret to do it. I tried this kind of approach through postman - to call any USER API with Basic Auth
I setup postman:
Test case - try to get user using client/secret
Result: I am getting Invalid Session error back
Is it possible to update user’s password using client/secret authorization? Or I need an Okta API token for it?
thank you for the tutorial. It is useful but it says how to authorize using default authorization server and I am trying to use custom one - if possible…
I am still not able to make it work.
I have custom authorization server and I am able to set up postman to generate access token using my custom authorization server but then when I try to use it in any okta API url - it gives me errors.
I get token through my custom authorization server:
// Search for URL Parameters to see if a user is being routed to the application to recover password
var searchParams = new URL(window.location.href).searchParams;
oktaConfig.otp = searchParams.get('otp');
oktaConfig.state = searchParams.get('state');
const oktaSignIn = new OktaSignIn(oktaConfig);
Do you think it is the correct approach to take? Use the okta widget access token through postman?
I like it. It works now but I am not sure if the solution is good enough for me as I will need to allow user to:
update security question
and, as far as I can see, the MyAccount API doesn’t have methods for it. But I am happy I made it work as maybe it will be useful for some use cases in future so thank you Erik for your suggestions.
How I made it work - just for some people who will try to use it in future and see this post:
I added the scopes on okta widget config to make sure I am requesting for it in the access token: