Im having an asp.net web application using okta mfa verify. So Im using OICD application and I need to use client secret method to get authorisation token.
I attempted to retrieve an access token using the endpoint: https://integrator-8768245.okta.com/oauth2/v1/token
{
“error”: “invalid_client”,
“error_description”: “Only clients with ‘application_type’ of ‘service’ may use the client_credentials ‘grant_type’ with the Org Authorization Server.”
}
What is the correct way to obtain an OAuth 2.0 access token for Okta APIs without using an SSWS token?
Any guidance or best practices would be greatly appreciated.
You cannot use Client Secret auth when completing Client Credentials flow against the Org Authorization Server. This is deliberate on our part, as the Org Authorization Server is only intended to issue Access Tokens that protect Okta resources, not 3rd party resources, and as such requires use of Private Key JWT auth as a security measure to protect those Okta resources. In short, the Org Authorization Server is not designed to support M2M use cases
If you are instead trying to secure your own resource server, try updating your integration to instead point to a Custom Authorization Server, like the one named “Default.”
Note that you will have to create an Access Policy (allowing this specific client to use the server) and Access Rule (allowing client credentials flow to be used) before you will be able to use a custom authorization server. If you don’t, you will encounter a no_matching_policy error, as described here.