We are currently working on configuring our Okta tenant so we can do the following tasks:
Obtain an OAuth 2.0 token using the client credentials flow using Client Secret
Utilize this token to make an API call (e.g., fetching the apps list)
While we have successfully implemented the client credentials flow using a JWT signed with a keypair. However, we face challenges when attempting to do the same using a client secret (and unfortunately we need to use client secret).
What We've Done So Far
App Creation:
Sign-in method - API Services
Client authentication - Client Secret
(DPoP) is not required
Granted Okta API Scope: okta.apps.read
Authorization Server Configuration:
- Added “default” scope and set it as the default, for "default" authorization server
Option #1 (Not working): Client Credentials Flow (Client Secret) with Basic Authorization
This is per Okta documentation (Okta Developer)
curl --request POST --url https://<okta-tenant>.okta.com/oauth2/default/v1/token --header 'accept: application/json' --header 'authorization: Basic MG9hZ…VVNYg==' --header 'cache-control: no-cache' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=client_credentials&scope=default'
We got the access token received and used it in the following request:
curl -v -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "authorization: Bearer eyJraW…6A" "https://<okta-tenant>.com/api/v1/apps"
Error happened in the response to this request:
www-authenticate: Bearer authorization_uri="http://<okta-tenant>.okta.com/oauth2/v1/authorize", realm="http://<okta-tenant>.okta.com", scope="okta.apps.read", error="invalid_request", error_description="The authorization server id is invalid.", resource="/api/v1/apps"
Option #2 (Not working): Standard OAuth 2.0 Client Credentials Flow (Client Secret)
This follows the OAUth2 standard (passing Client Secret in the body vs in the Authorization Basic header as Okta documentation shows).
curl -X POST "https://<okta-tenant>.okta.com/oauth2/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=0oaf…7&client_secret=zFZ…Z&scope=default"
Error happened in response to this request:
{“error”:“invalid_client”,“error_description”:“Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.”
We'd greatly appreciate guidance on the following:
Are we overlooking anything regarding configuration to get OAuth2 client credentials flow using a client secret?
Is this method supported at all, compared to using JWT signing? (We've noticed several posts from others struggling with similar issues in implementing it.)