Unable to get token via client_credentials flow

Where I’m used to use API tokens to integrate with Okta, I now wanted to use a defined OIDC app, use the client credentials flow and grant Okta API scopes. Authorizing integrations via OIDC seems much more finegrained and managable than issuing API tokens in name of a (service account) user.

I end up getting the error message “One or more scopes are not configured for the authorization server resource.” when trying to get a token using this POST: https://example.okta.com/oauth2/default/v1/token?grant_type=client_credentials&scope=okta.apps.read

The scope “okta.apps.read” is granted in the tab “Okta API Scopes” of the app definition in Okta Admin panel.

The system logs mentions that the default authorization server does not know of the requested scope and the request failed. I cannot add such a scope to the default (or any other) authorization server whoich starts with “okta”, since that’s a reserved prefix.

What am i missing or doing wrong?

Any help appreciated.

Koen

You can only use the Org Authorization Server if you want to receive okta.* scopes (which you would do if you needed an Access Toen that you can use against Okta’s own management APIs, in this case, /api/v1/apps). As you saw, you will not be able to create custom scopes with these names to a custom authorization server (such as default), but they already exist for the Org Authorization Server.

If you haven’t checked it out yet, I recommend following this guide about how to create an API Service app and use it to receive tokens with okta.* api scopes: Implement OAuth for Okta with a service app | Okta Developer