Where I’m used to use API tokens to integrate with Okta, I now wanted to use a defined OIDC app, use the client credentials flow and grant Okta API scopes. Authorizing integrations via OIDC seems much more finegrained and managable than issuing API tokens in name of a (service account) user.
I end up getting the error message “One or more scopes are not configured for the authorization server resource.” when trying to get a token using this POST: https://example.okta.com/oauth2/default/v1/token?grant_type=client_credentials&scope=okta.apps.read
The scope “okta.apps.read” is granted in the tab “Okta API Scopes” of the app definition in Okta Admin panel.
The system logs mentions that the default authorization server does not know of the requested scope and the request failed. I cannot add such a scope to the default (or any other) authorization server whoich starts with “okta”, since that’s a reserved prefix.
What am i missing or doing wrong?
Any help appreciated.