Hi I’m new to okta and I’m trying to integrate it with AWS API Gateway.
I have the custom authorizer created and I’m trying to generate an access token so I can test it out. The use case is for authentication for a REST api so am looking at the okta api calls directly, currently with Postman.
I’ve downloaded the OAuth2.0 postman requests and trying to use the Get Access Token with Client Credentials request however after filling in all the details (removing the redirect_uri and scpe as they seem to be optional judging by OpenID Connect & OAuth 2.0 API | Okta Developer
But when I make the request I get the response
{
"error": "invalid_client",
"error_description": "Invalid value for 'client_id' parameter."
}
I’ve tried adding client_id as a section in the body or the headers but I just get
{
"error": "invalid_request",
"error_description": "Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body."
}
Can anyone help me with what I’ve got wrong with the request please?
Yea, the postman collection doesn’t make this clear. You can post client_id and client_secret in the body, or in the authorization header (Authorization: Basic xxxx) Right now, the Authorization header is set by default in the postman example. If you want to use the body, you need to make Authorization type No Auth. If you want to use the Authorization header, you need to update your client id and secret in the Authorization section in postman.
The scope is optional if you have a default scope set, you will need to go into API -> Authorization Servers -> default -> Scopes to configure a default scope.
I feel like my response is sort of confusing, let me know if you need anymore help.
Thanks, I managed to get the access token through using the client_id and client_secret in the body with the No Auth option) and that all is working.
I would like to get it working using a username and password if possible. My plan is to have a very fine grain access control based on the user logged in so I need to be able to use those details instead of the client id and secret if possible.
When using Basic Auth and entering the username and password I get the first error that I mention above ( invalid_client ). Is it possible to get an access token based on an individual user? And if so do you know what requests I need to use for that?
I understand you are using API Gateway and you are protecting your APIs. But what are you building for a client? It is hard to make a recommendation without that information.
We are building a rest API that we plan to provide to developers so they will be using the rest calls directly in whatever languages they are using. We plan to create our own client libraries to wrap the api, however not initially.
At the moment I’m not worried if I have to program something to get access tokens (preferably .Net or python, but any suitable language is fine), but long term we’d like the option of being able to just use the API directly.
Sorry, do you have any update with this? I’m still struggling to get an access token when using username and password to login using the oauth2/default/v1/token resource.
This works for me, I think either A) there was a copy and paste issue with the client ID and client secret or B) the wrong application configuration in okta.
Here is the HTTP call that generates tokens for resource owner password flow:
The other way you could look at doing this is using the implicit flow and one of our libraries (angular / react / auth js / widget) to get the access token down to the client.
A couple other notes, the application you would need to create is a Native Mobile app, this is the only application type we support resource owner password flow on. You will need to change the token authentication method to client authentication
Thanks, that solved my problems. I was using grant_type of client_credentials and I wasn’t using a Native Mobile app, fixed those things and it’s now working.
One followup question, am I right in thinking that the url parameters (like grant_type, username, password) will be part of the encrypted data? I’m just concerned about whether a MITM would be able to see these parameters.
Sorry, I’m still quite new to this so still trying to understand it all.
Hey @tom, I’m trying to do the same thing but I think I’m a bit more early in the process. Here’s what I have done:
I have registered an application in Okta and created an authorization server. I’m trying to use Postman to retrieve the access token but I am not being prompted to log into Okta. I tried to pass the client_id and client_secret in body but I got an error.
I’m trying to set up Okta to authenticate on a cloud application that my organization uses. I am simply trying to register the app in Okta and and then retrieve the JWT claim information and obtain the signer certificate from the token endpoint.
I am looking for the following information within the JWT:
UID
Sub
Email
Realm
Name
Can you check the system log to see if you can get any additional information? Also, please validate that you are using the right client id, and you have configured the application so it can use the password grant
I have same issue. Refresh token api is not working for me. Even the document is very difficult to find out. Passing param in body, doesnt not work .
Documentation is really horrible. They need to put more resources
Try the above steps and see if it works for you.
If it works in postman, I don’t see a reason for it not working in your code.
BTW, in the code you posted I see you’re using config.auth.id in Authorization header. Can you check if it’s defined or if you should be using config.auth.clientId?
Tried with Postman too.
Error: Token must include valid grant_type.
@vijet: I agree document is straight forward , but that doesnt seem to be working. Also there is no information on errors, and how to resolve it, no source too.
Have you updated the allowed grant types for your application to include “refresh token”?
You need to go to Applications -> Select your application -> General -> Select refresh token
I get back the accessToken if I include grant_type=refresh_token.
Just to be clear, you are able to get the Authorization Code and exchange it for access and refresh tokens right?
For the first /token request, you pass grant_type=authorization_code and you will get back access/id and refresh tokens.
Now for the second /token request, you pass the request token with grant_type=refresh_token and get back a new access token.
Thanks @vijet. As you suggested i have put params in body , and i do get success response. But when i am trying to send body request with refresh token API. I get error as in