I’m trying to set up an API Connector with OAuth, and it’s asking me for an Authorize Path, and but is giving me this error:
Your request resulted in an error. Clients with ‘application_type’ of ‘service’ are not allowed to access the ‘authorize’ endpoint.
Here’s how I set stuff up:
Created a new application in Okta as an API Services application
Created an authorization server and added the necessary scopes/rules to allow for the new application to authenticate.
Configured the following (simulated) values in the “New Connection” dialog:
Authorize Path: https://{oktahost}/oauth2/{authserver}/v1/authorize
Access Token Path: https://{oktahost}/oauth2/{authserver}/v1/token
Scope: api_scope
Client ID: {Client ID from the new application}
Client Secret: {Client Secret from the new application}
Why on earth does it need an authorize path for a Client Credentials flow?
The Client Credentials flow does not need to hit the /authorize endpoint to receive a token. Instead, the request would just go to the token endpoint directly. For example, here’s a guide for using the client credentials flow, which includes how to format the request to /token.
If you need to go through the /authorize endpoint, you’d have to either setup your application as a SPA or Web App
Well, it appears that Okta Workflows requires the /authorize endpoint in order to set up an OAuth connection. Why is that, since it’s making an API call?
@RichardP Can you provide some details about your use case? Why are you trying to connect to an Okta Service app within Workflows? If you are looking to make calls against the Okta API with OAuth, why not use the Okta connector instead? This guide may or may not help you, depending on what you’re trying to do.
Based on the doc for this connector, it appears that only Authorization Code flow is supported, not Client Credentials, and support for this flow will likely require a feature request, which you can file on the Okta Ideas Portal.
From within Okta Workflows, I’m going to need to make an outbound call to a Service API that will be protected by the client credentials flow. The API will provision users to an application. The API I’m calling will be triggered by events such as “User assigned to an application” and “User Profile Changed”
I can file a feature request, I’m just surprised that this hasn’t come up already. For now we can get by with Basic auth if we must.