Okta Widget Authentication and updating user's password within application


I have a question regarding use case.

I am using okta Widget to login to application. Then, after login to application, the user can update his password. To update password, I thought of using Users Okta API - Change password. But this requires SSWS apikey to do it. It means a new Okta API token would need to be generated for my needs in Okta → Security → API token

I was advised by our Okta admins to add new application - API Services and use client and secret to do it. I tried this kind of approach through postman - to call any USER API with Basic Auth

I setup postman:

Test case - try to get user using client/secret

Authorization: Basic
Username: {{clientId}}
Password: {{clientSecret}}
Url: {{url}}/api/v1/users/{{userId}}
Result: I am getting Invalid Session error back

Is it possible to update user’s password using client/secret authorization? Or I need an Okta API token for it?

Thank you,

You would need to obtain an access token through this new Service API application, which has to have client_secret_jwt authentication method.

Read this guide for more details/example


If you have an OIE Org you might want to use the new MyAccount API in order to do this.

Thank You

1 Like

Hi Phi1pp,

thank you for the tutorial. It is useful but it says how to authorize using default authorization server and I am trying to use custom one - if possible…

I am still not able to make it work.
I have custom authorization server and I am able to set up postman to generate access token using my custom authorization server but then when I try to use it in any okta API url - it gives me errors.

  1. I get token through my custom authorization server:


  1. Then I tried to use the token to get user by id:

• GET {{devOktaPreview}}/api/v1/users/{{userId}}

And I am getting error complaining about the authorization server:

www-authenticate: Bearer authorization_uri=http://devOkta.okta.com/oauth2/v1/authorize, realm=http://devOkta.okta.com, scope=“okta.users.read”, error=“invalid_request”, error_description=“The authorization server id is invalid.”, resource=“/api/v1/users”

I need to add, that my custom authorization server doesn’t have okta.users.read scope because it is not possible to add it. It throws an error when I try to add it:

This name is reserved. Must not start with ‘‘okta.’’ or ‘‘okta:’’ and must not be only ‘‘okta’’ or ‘’*‘’.

but I think if it was the reason, I would get other error message anyway - complaining about scope and not authorization server id…

Hi Erik,

Thank you for your response.
I am doing some investigation for the MyAccount api. I must admin I wasn’t aware about it so thank you for the suggestion.

My actions:

I used Okta widget to login to application. I have got the access token back for the user and then I went to the postman and tried:

GET {{devOktaPreview}}/idp/myaccount/profile

with the access token in Bearer.

I have got error back:

www-authenticate: Bearer authorization_uri=“http://devOkta.okta.com/oauth2/v1/authorize”, realm=“http://devOkta.okta.com”, scope=“okta.myAccount.profile.read”, error=“insufficient_scope”, error_description=“The access token provided does not contain the required scopes.”, resource=“/idp/myaccount/profile”

My custom authorization server has a scope okta.myAccount.profile.read but I am not sure if my application has it (I don’t have access to the scope tab on applications for now…)

When I initialize the Okta Widget I provide the scope like this:

var oktaConfig = {
issuer: oIssurerUri
, redirectUri: oRedirectUri
, clientId: oClientId
, onSessionExpired: () => { localStorage.clear(); location.reload();}
, scope: [‘openid’, ‘email’, ‘okta.myAccount.profile.read’]

// Search for URL Parameters to see if a user is being routed to the application to recover password
var searchParams = new URL(window.location.href).searchParams;
oktaConfig.otp = searchParams.get('otp');
oktaConfig.state = searchParams.get('state');
const oktaSignIn = new OktaSignIn(oktaConfig);

return oktaSignIn;

Do you think it is the correct approach to take? Use the okta widget access token through postman?

You will need to make sure your application allows the scope.
If you are not sure and are requesting the scope in your application you can verify if that scope is granted by either:

  • check your Okta Org logs
  • take the access_token returned and goto https://jwt.io to check scp claim and see if it is there.
curl --location --request GET 'https://domain.okta.com/idp/myaccount/profile' \
--header 'Authorization: Bearer eyJra...' \
--header 'Accept: application/json; okta-version=1.0.0'

Make sure to add Accept: application/json; okta-version=1.0.0 or else you will get an HTTP 406

1 Like

I like it. It works now but I am not sure if the solution is good enough for me as I will need to allow user to:

  • update password
  • update security question
  • update MFA
    and, as far as I can see, the MyAccount API doesn’t have methods for it. But I am happy I made it work as maybe it will be useful for some use cases in future :smile: so thank you Erik for your suggestions.

How I made it work - just for some people who will try to use it in future and see this post:
I added the scopes on okta widget config to make sure I am requesting for it in the access token:

var oktaConfig = {
        issuer: oIssurerUri
        , redirectUri: oRedirectUri
        , clientId: oClientId
    , scopes: ['openid', 'email', 'okta.myAccount.profile.read']

To make it work it is important to check if the scope is enabled:

  • for the application
  • and the authorization server the solution uses.

You can definitely change your password, but you will need to create a support ticket to have the MyAccount password feature enabled.

the other operations would require a different solution.