I need to retrieve dynamically the api_token or SSWS in order to do other actions with it. I don’t have a redirect_uri nor the app to get client_id and client secret for this API call below:
curl -v -X POST
-H “Content-type:application/x-www-form-urlencoded”
“https://${yourOktaDomain}/oauth2/default/v1/token”
-d “client_id={client_id}&client_secret={client_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}&code={code}”
So, I found this one:
curl --location --request POST ‘https://rossstores-test.okta.com/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=okta.users.read’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion=20111QII4MahtU5pLTDmU65-phdW7RcYx9ToC6A7i9hjVIU542ADs3i’
however, I am not sure how to get the client_assertion. Could you please clarify it?
If you read the guide and followed the steps, it links to the tool (https://www.jsonwebtoken.dev/) that will generate a JWT which is the client_assertion.
hi Warren, I read it, but I need something dynamic, where I can a API, and I get it. E.g: CURL command or something similar. Can you please help me with that?
I have been doing some researches, and I will be able to generate the client_assertion only if I have the client_id, right? But I don’t have the client_id. I just have my user and password as admin user to the Okta system.
So, the way I am doing is this:
//generate token for tests
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
// We will sign our JWT with our ApiKey secret
byte apiKeySecretBytes = DatatypeConverter.parseBase64Binary(this.getSecret());
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
long nowMillis = System.currentTimeMillis();
Instant now = Instant.now();
String jwt1 = Jwts.builder()
.setAudience(“https://myserver.okta.com/oauth2/default/v1/token”)
.setIssuedAt(Date.from(now))
.setExpiration(Date.from(now.plus(5L, ChronoUnit.MINUTES)))
//.setIssuer(clientId)
.setIssuer(“myemail”)
.setSubject(“myemail”)
.setId(UUID.randomUUID().toString())
.signWith(signatureAlgorithm, signingKey)
.compact();
I get the JWT generated and I copy it to the client assertion place here:
curl --location --request POST ‘https://{yourOktaDomain}/oauth2/v1/token’
–header ‘Accept: application/json’
–header ‘Content-Type: application/x-www-form-urlencoded’
–data-urlencode ‘grant_type=client_credentials’
–data-urlencode ‘scope=okta.users.read’
–data-urlencode ‘client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer’
–data-urlencode ‘client_assertion=eyJhbGciOiJSU…tHQ6ggOnrG-ZFRSkZc8Pw’
however, it says that the client_id is invalid, and that is because I don’t have the client_id, right? So, there is no other way to get the api_token if I don’t have client_id, correct?
The other method I found was this one:
curl -v -X POST
-H “Content-type:application/x-www-form-urlencoded”
“https://${yourOktaDomain}/oauth2/default/v1/token”
-d “client_id={client_id}&client_secret={client_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}&code={code}”
that requires as well again, client_id.
So based on my understanding, there is no way to get the api_toke dynamically if I don’t have client_id. Could you please confirm the understanding, please?
It looks like your audience is wrong, it should refer to your org authorization server as per the note:
Important: You request an access token by making a call to your Okta Org Authorization Server/authorize endpoint. Only the Org Authorization Server can mint access tokens that contain Okta API scopes.