Worflow for accessing protected API using JWT

Hello there,

I am implementing a system in which a Laravel web server has an API which must be protected only to authorized users (which can be either based on a React Native Application or a CLI). I would want the end users (which would be pre-registered in the okta admin console) to be able to authenticate once to the okta authorization server (using user/pwd credentials) and get a token (optionally with a refresh token) which they can use to access the protected API. Using the documentation I do not find any workflows which corresponds to this. The closest I found was the service client credentials workflow, but this workflow uses a single client ID and secret to get a token, whereas in my case I would like to use personal user/pwd credentials. I have also taken a look at the Native client workflow but this one requires a callback URI, which I do not need in my case as the user does not access the API right after logging in, instead it then uses it occasionally using the token directly.
What kind of workflow should I consider for this use case?

You could use the Password Resource Owner Flow, although this the most insecure flow. It does not require a redirectURI, but does require storing the app id/secret, as well as collecting a users username/password.

The client credentials flow does not contain a user context and is mostly for machine to machine.

A more secure flow would be to use a PKCE flow. This shouldn’t be an issue for the React Native application. For the CLI it can be done but does require spinning up a web server to handle the redirect.