To retrieve all the users from okta project using c#

I want to retrieve all the users from okta project using c# using machine to machine project. I mean using client id and secret. I have granted access to okta.users.read and created customScope named “access_token” it is able to retrieve token but “call 2” fails;
Also when i am giving the scope as okta.users.read “call 1” request fails.
static void RetrieveOktaUsers()
{
string BASE_URL = “”;
//
string CLIENT_ID = “clientid”;
string YOUR_CLIENT_SECRET = “secret”;

        string OAUTH_ENDPOINT = "oauth2/default/v1/token";
        string USERS_ENDPOINT = "api/v1/users";
        string AUDIENCE = "";

        OktaToken oktaToken = null;

//call 1
using (HttpClient httpClient = new HttpClient())
{
httpClient.BaseAddress = new Uri(BASE_URL);
var authToken = Encoding.ASCII.GetBytes($"{CLIENT_ID}:{YOUR_CLIENT_SECRET}");
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(“Basic”,
Convert.ToBase64String(authToken));
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(“application/json”));
FormUrlEncodedContent formUrlEncodedContent = new FormUrlEncodedContent(new
{
new KeyValuePair<string, string>(“grant_type”, “client_credentials”),
new KeyValuePair<string, string>(“scope”, “access_token”),
new KeyValuePair<string, string>(“audience”, “api://default”),
});

            HttpResponseMessage response = httpClient.PostAsync(OAUTH_ENDPOINT, formUrlEncodedContent).Result;
            //response.EnsureSuccessStatusCode();
            var resp = response.Content.ReadAsStringAsync().Result;
            oktaToken = JsonConvert.DeserializeObject<OktaToken>(resp);
                
        }

        using (HttpClient httpClient = new HttpClient()) //Call 2
        {
            httpClient.BaseAddress = new Uri(BASE_URL);
            httpClient.DefaultRequestHeaders.Add("authorization", $"Bearer {oktaToken.access_token}");
            httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
            HttpResponseMessage response = httpClient.GetAsync(USERS_ENDPOINT).Result;
            //response.EnsureSuccessStatusCode();
            var resp = response.Content.ReadAsStringAsync().Result;
        }
    }

It looks like you’re getting the access token from the wrong authorization server. I see you have a line audience: "api://default" which is specific to the custom authorization server named “default” that Okta creates for you. According to their docs, you have to use the org authorization server for OAuth for Okta APIs. https://developer.okta.com/docs/guides/implement-oauth-for-okta/overview/

Note: Request an access token by making a request to your Okta Org Authorization Server /authorize endpoint. Only the Org Authorization Server can mint access tokens that contain Okta API scopes.


If I understood correctly then /authorize will need user name and password
https://{yourOktadomain}/oauth2/v1/authorize?client_id=0oan47pj9BsB30h7&response_type=token&response_mode=fragment&scope=okta.users.read&redirect_uri={yourConfiguredRedirectUri}&nonce=UBGW&state=1234

I want to use clientid and secret since service is machine to machine communication. I don’t know if there is way exist to retrieve users from machine to machine with clientid and secret

You can use client credentials flow with the org authorization server according to https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/get-access-token/ but it requires a signed jwt. The setup process can be found at https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/overview/

I am getting an error while retrieving token: https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/get-access-token/

I am successfully able to create project and grant permission for okta.users.read scope

Error:

{
“error”: “invalid_client”,
“error_description”: “The issuer and subject claim for client_assertion is invalid because the client does not have a client secret.”
}