Retrieve dynamically the SSWS

hello experts,

I need to retrieve dynamically the api_token or SSWS in order to do other actions with it. I don’t have a redirect_uri nor the app to get client_id and client secret for this API call below:
curl -v -X POST
-H “Content-type:application/x-www-form-urlencoded”
https://${yourOktaDomain}/oauth2/default/v1/token”
-d “client_id={client_id}&client_secret={client_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}&code={code}”

So, I found this one:
curl --location --request POST ‘https://rossstores-test.okta.com/oauth2/v1/token
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=okta.users.read’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion=20111QII4MahtU5pLTDmU65-phdW7RcYx9ToC6A7i9hjVIU542ADs3i’

however, I am not sure how to get the client_assertion. Could you please clarify it?

Kind regards,
Thiago

Are you talking about implementing OAuth for Okta with a service app?
https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/

I need to know how to get the client_assertion value, please?

If you read the guide and followed the steps, it links to the tool (https://www.jsonwebtoken.dev/) that will generate a JWT which is the client_assertion.

hi Warren, I read it, but I need something dynamic, where I can a API, and I get it. E.g: CURL command or something similar. Can you please help me with that?

I am trying to get this client_assertion thru the API, not thru postman. Is there any way?

Kindly share, please?

Regards,
Thiago

hi Okta team,

I have been doing some researches, and I will be able to generate the client_assertion only if I have the client_id, right? But I don’t have the client_id. I just have my user and password as admin user to the Okta system.
So, the way I am doing is this:

//generate token for tests
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
// We will sign our JWT with our ApiKey secret
byte apiKeySecretBytes = DatatypeConverter.parseBase64Binary(this.getSecret());
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
long nowMillis = System.currentTimeMillis();
Instant now = Instant.now();
String jwt1 = Jwts.builder()
.setAudience(“https://myserver.okta.com/oauth2/default/v1/token”)
.setIssuedAt(Date.from(now))
.setExpiration(Date.from(now.plus(5L, ChronoUnit.MINUTES)))
//.setIssuer(clientId)
.setIssuer(“myemail”)
.setSubject(“myemail”)
.setId(UUID.randomUUID().toString())
.signWith(signatureAlgorithm, signingKey)
.compact();

I get the JWT generated and I copy it to the client assertion place here:
curl --location --request POST ‘https://{yourOktaDomain}/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=okta.users.read’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion=eyJhbGciOiJSU…tHQ6ggOnrG-ZFRSkZc8Pw’

however, it says that the client_id is invalid, and that is because I don’t have the client_id, right? So, there is no other way to get the api_token if I don’t have client_id, correct?

The other method I found was this one:
curl -v -X POST
-H “Content-type:application/x-www-form-urlencoded”
https://${yourOktaDomain}/oauth2/default/v1/token”
-d “client_id={client_id}&client_secret={client_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}&code={code}”

that requires as well again, client_id.

So based on my understanding, there is no way to get the api_toke dynamically if I don’t have client_id. Could you please confirm the understanding, please?

Kind regards,
Thiago

It looks like your audience is wrong, it should refer to your org authorization server as per the note:

Important: You request an access token by making a call to your Okta Org Authorization Server /authorize endpoint. Only the Org Authorization Server can mint access tokens that contain Okta API scopes.

You should have a client_id as mentioned in the guide (Create a service app and grant scopes | Okta Developer):

  1. Make note of the client_id that is returned in the response. You need that to grant scopes to your service app and when you create and sign the JWT.