Unable Fetching the super User token from OKTA

I am unable to get the user token. A similar doubt was posted on - Fetching the User token but still not resolved. I did see your video and that is for single page app and mine is multi with SSO.
If i understand it correctly to fetch the user token from Okta, i need to get the auth code and the based on the auth code I need to get the user token. Is my understanding correct?
and below are the APi Involve.
Auth URL: https://dev-10159567.okta.com/oauth2/default/v1/authorize
Access Token URL: https://dev-10159567.okta.com/oauth2/default/v1/token

The goal is to use the token of the super user obtained from the okta, i should be able to invoke any of the API of my application which is configured as part of SSO.

Please help and we can zoom if needed. thank you

Also when I am trying to generate the token from the postman by giving the callback url, auth token, access token URL, client id, client secret, scope, state… I am getting the okta sso login page and after I put in my credentials, i get the tokens. Why should I put the credentials on the login page? It should redirect automatically. My user should be treated as a super user and provide the token, with the details in the request.I should not be asked to log in.
Attaching the config. Please let me know if the configuration change is needed or what I am missing here.



I should not be login.

Also, do we have an API or some way to get the token for the specific super user ?

Any help on this , pls. ?

Can you please provide the inputs. @sigama

Hello @harishdalmia,

It’s sounding like what you need here is possibly to set up a Service App if you’re looking to obtain OAuth tokens for Okta API calls: Implement OAuth for Okta with a service app | Okta Developer - the reason I say this is because you mentioned Super User permissions, which you can grant to the Service App in order to make Okta API calls based on granular scopes. Please check this out and let us know if it will work for your purposes.

@daniel.sanders Thanks for the response. I will try. Does this solve this below problem ?

Consider application ‘X’ is configured to use Oracle IDCS for authentication. Another application ‘B’ is configured to use Okta for authentication. Now IDCS and Okta are configured in a SSO such that IDCS is service provider and Okta is IDP. Is there a way user logged into application ‘B’ can hit an API on application ‘X’? We are expecting the auth to be handled by virtue of SSO. Application B can have whatever token generate logic needed to do this and we are open to use SAML or OIDC

Consider application ‘X’ is configured to use Oracle IDCS for authentication. Another application ‘B’ is configured to use Okta for authentication. Now IDCS and Okta are configured in a SSO such that IDCS is service provider and Okta is IDP. Is there a way user logged into application ‘B’ can hit an API on application ‘X’? We are expecting the auth to be handled by virtue of SSO. Application B can have whatever token generate logic needed to do this and we are open to use SAML or OIDC.

Some doubts as well :

  1. This option- https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/which you have suggested in the comment is only for accessing Okta endpoints themselves, don’t think it would be helpful for our usecase. Please suggest

  2. Customscope with default auth server option is also promising, but will that generate id tokens ?

  3. Is the statement true - we cannot add our own scopes with this service app option, we can only add okta api scopes ?

Please share a link or guide or any reference material to achieve it.

Any help or input here. I am available for zoom call also , if needed. Really need some input here.

I will attempt to answer your questions in order:

  1. Yes, OAuth for Okta with a Service App is specifically for the purposes of using Okta API with OAuth Bearer Tokens. Gating between two different APIs, neither of which are ours’, would be beyond the scope of this solution, strictly speaking.

  2. Setting up a custom scope with the default authorization server can indeed generate ID Tokens, you can request them through Authorization Code or Implicit flow by requesting the ID Token specifically. For details on this check the /authorize and /token endpoints here: OpenID Connect & OAuth 2.0 API | Okta Developer

  3. Yes, this is correct. Because the Service App is using the Org Authorization Server and OAuth for Okta, custom scopes are not supported.

I do also want to note here that we have an OAuth Token Exchange flow that seems to roughly fit what you are going for here: Set up OAuth 2.0 On-Behalf-Of Token Exchange | Okta Developer

This would allow you to essentially use a service app and a native app in tandem and exchange tokens between them. This is essentially going to be managing scopes and claims that are within your Okta org though, so if that’s not what you want to do it may not be the best solution.

If you are wanting to do direct exchange between two APIs, can you tell me where Okta would stand in that sort of solution? Are you just wanting SSO for your apps that are doing this without touching your Okta org, or are you wanting to gate calls of your own APIs similar to this? Protect your API endpoints | Okta Developer

If you’d like to set up a Zoom call to get direct assistance from Support I would highly recommend opening a Support case. We’ll be happy to talk with you about this over a Zoom meeting and make sure your questions get answered to your satisfaction.

1 Like

Hi @daniel.sanders , will explain again.

Consider application ‘X’ is configured to use Oracle IDCS for authentication. Another application ‘B’ is configured to use Okta for authentication. Now, IDCS and Okta are configured in an SSO such that IDCS is the service provider and Okta is IDP. Is there a way a user logged into application ‘B’ can hit an API on application ‘X’ in terms of auth? I am expecting the auth to be handled by SSO. Application B can have whatever token generation logic is needed to do this and I am open to using SAML or OIDC. I think I will need to add the scopes of both the apps for inter-communication.Note that both are my products and I have taken care of cors and other security issues. Also, these apps will talk during the runtime so I don’t expect the end-user to enter the password again.

Please note there is no native application . It is web-based application. We select “OIDC - OpenID Connect” while creating app and then in Application type we select “WebApplication”.

Any update here, please.