Using postman to get Access Token

Hi I’m new to okta and I’m trying to integrate it with AWS API Gateway.

I have the custom authorizer created and I’m trying to generate an access token so I can test it out. The use case is for authentication for a REST api so am looking at the okta api calls directly, currently with Postman.

I’ve downloaded the OAuth2.0 postman requests and trying to use the Get Access Token with Client Credentials request however after filling in all the details (removing the redirect_uri and scpe as they seem to be optional judging by https://developer.okta.com/docs/api/resources/oauth2.html#request-a-token

But when I make the request I get the response

{
    "error": "invalid_client",
    "error_description": "Invalid value for 'client_id' parameter."
}

I’ve tried adding client_id as a section in the body or the headers but I just get

{
    "error": "invalid_request",
    "error_description": "Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body."
}

Can anyone help me with what I’ve got wrong with the request please?

1 Like

Yea, the postman collection doesn’t make this clear. You can post client_id and client_secret in the body, or in the authorization header (Authorization: Basic xxxx) Right now, the Authorization header is set by default in the postman example. If you want to use the body, you need to make Authorization type No Auth. If you want to use the Authorization header, you need to update your client id and secret in the Authorization section in postman.

The scope is optional if you have a default scope set, you will need to go into API -> Authorization Servers -> default -> Scopes to configure a default scope.

I feel like my response is sort of confusing, let me know if you need anymore help.

1 Like

Hi @tom,

Thanks, I managed to get the access token through using the client_id and client_secret in the body with the No Auth option) and that all is working.

I would like to get it working using a username and password if possible. My plan is to have a very fine grain access control based on the user logged in so I need to be able to use those details instead of the client id and secret if possible.

When using Basic Auth and entering the username and password I get the first error that I mention above ( invalid_client ). Is it possible to get an access token based on an individual user? And if so do you know what requests I need to use for that?

1 Like

I understand you are using API Gateway and you are protecting your APIs. But what are you building for a client? It is hard to make a recommendation without that information.

For self-service information:

Thanks!
Tom

1 Like

Hi, thanks @tom

We are building a rest API that we plan to provide to developers so they will be using the rest calls directly in whatever languages they are using. We plan to create our own client libraries to wrap the api, however not initially.

At the moment I’m not worried if I have to program something to get access tokens (preferably .Net or python, but any suitable language is fine), but long term we’d like the option of being able to just use the API directly.

Thanks,
Alistair

Hi @tom

Sorry, do you have any update with this? I’m still struggling to get an access token when using username and password to login using the oauth2/default/v1/token resource.

Thanks,
Alistair

This works for me, I think either A) there was a copy and paste issue with the client ID and client secret or B) the wrong application configuration in okta.

Here is the HTTP call that generates tokens for resource owner password flow:

POST /oauth2/default/v1/token HTTP/1.1
Host: XXXX.oktapreview.com
Accept: application/json
Authorization: Basic XXXX
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

grant_type=password&redirect_uri=http%3A%2F%2Flocalhost%3A3000&username=XXXX%40gmail.com&password=XXXX&scope=openid

The other way you could look at doing this is using the implicit flow and one of our libraries (angular / react / auth js / widget) to get the access token down to the client.

A couple other notes, the application you would need to create is a Native Mobile app, this is the only application type we support resource owner password flow on. You will need to change the token authentication method to client authentication

Hi @tom

Thanks, that solved my problems. I was using grant_type of client_credentials and I wasn’t using a Native Mobile app, fixed those things and it’s now working.

One followup question, am I right in thinking that the url parameters (like grant_type, username, password) will be part of the encrypted data? I’m just concerned about whether a MITM would be able to see these parameters.

Sorry, I’m still quite new to this so still trying to understand it all.

Thanks,
Alistair

Hey @tom, I’m trying to do the same thing but I think I’m a bit more early in the process. Here’s what I have done:

I have registered an application in Okta and created an authorization server. I’m trying to use Postman to retrieve the access token but I am not being prompted to log into Okta. I tried to pass the client_id and client_secret in body but I got an error.

I’m trying to set up Okta to authenticate on a cloud application that my organization uses. I am simply trying to register the app in Okta and and then retrieve the JWT claim information and obtain the signer certificate from the token endpoint.

I am looking for the following information within the JWT:
UID
Sub
Email
Realm
Name

1 Like

Hey @john.mcroberts13, can you post a separate question? I don’t want to derail the current thread.

1 Like

Hey @tom, I have a similar use case and i did whatever mentioned in above but continuously i am getting 403 Forbidden.
I am using Postman for calling this API
POST https://xxx.oktapreview.com/oauth2/default/v1/token

and Body contain

grant_type=password
redirect_uri=https://www.getpostman.com/oauth2/callback
username=xxxx
password=xxxx
scope=openid

and i selected Authorziation as Basic and provided the ClientId and its secret.

Accept: application/json
Content-Type: application/x-www-form-urlencoded

Please help me in this…

1 Like

Can you check the system log to see if you can get any additional information? Also, please validate that you are using the right client id, and you have configured the application so it can use the password grant

1 Like

I tried with SOAP UI and it working fine with it, I think there might be some problem with POSTMAN.

I have same issue. Refresh token api is not working for me. Even the document is very difficult to find out. Passing param in body, doesnt not work .
Documentation is really horrible. They need to put more resources

var options= {
url:settings.orgUrl+’/oauth2/default/v1/token’,
headers: {
Accept: “application/json”,
Authorization: "Basic " + new Buffer(config.auth.id+config.auth.clientSecret).toString(‘base64’),
‘Cache-Control’: ‘no-cache’,
‘Content-Type’: “application/x-www-form-urlencoded”,
‘grant_type’:‘refresh_token’,
redirect_uri: encodeURIComponent(settings.redirectUri),
scope:‘offline_access’,
refresh_token:req.user.refresh_token
}
}
request.post(options,function(error,response,body){
console.log(body);
})

error":“invalid_client”,“error_description”:"Invalid value for ‘client_id’ parameter.

Hi @reemasaluja,

Have you tried refreshing the access token using postman collections?
I believe the documentation in this link is quite straightforward - https://developer.okta.com/authentication-guide/tokens/refreshing-tokens

I understand that using interceptors in postman can be hard, so you can try the following -

  1. Go to https://oidcdebugger.com/ (This is a tool written by @nate.barbettini to test OIDC endpoints)
  2. Enter the details according to your org. (You can set the state to any value)
  3. Make sure that you have added the redirect uri https://oidcdebugger.com/debug into your okta web application
  4. An authorization code will be returned to you in the next page, which can be used to get tokens using postman
  5. You can now use this refresh token to get a new access token

Try the above steps and see if it works for you.
If it works in postman, I don’t see a reason for it not working in your code.

BTW, in the code you posted I see you’re using config.auth.id in Authorization header. Can you check if it’s defined or if you should be using config.auth.clientId?

1 Like

Tried with Postman too.
Error: Token must include valid grant_type.

@vijet: I agree document is straight forward , but that doesnt seem to be working. Also there is no information on errors, and how to resolve it, no source too.

Have you updated the allowed grant types for your application to include “refresh token”?
You need to go to Applications -> Select your application -> General -> Select refresh token

Also, if you point the exact step you got the error, we can debug it further.

Thanks @vijet!
Below is the error

“{“error”:“invalid_request”,“error_description”:“The token request must specify a ‘grant_type’. Valid values: [refresh_token, authorization_code]”}”

I was able to reproduce your error by NOT passing grant_type=refresh_token in the body of the request.

I get back the accessToken if I include grant_type=refresh_token.

Just to be clear, you are able to get the Authorization Code and exchange it for access and refresh tokens right?
For the first /token request, you pass grant_type=authorization_code and you will get back access/id and refresh tokens.
Now for the second /token request, you pass the request token with grant_type=refresh_token and get back a new access token.

Thanks @vijet. As you suggested i have put params in body , and i do get success response. But when i am trying to send body request with refresh token API. I get error as in

Arguments body error

How shall i pass this object in api