Before implementing the flow, you must first create custom scopes for the Custom Authorization Server used to authenticate your app from the Okta Admin Console.
If you are not using existing libraries, you can make a direct request to Okta's OIDC & OAuth 2.0 API through the
/token endpoint. See Request for token in the next section.
Request for token
The Client Credentials flow is intended for server-side (confidential) client applications with no end user, which normally describes machine-to-machine communication. Your client application needs to have its client ID and secret stored in a secure manner. You can find the client ID and secret on the General tab for your app integration.
Base64 encode the client ID and secret and then pass through Basic Authentication(opens new window) in the request to your Custom Authorization Server's
Note: The client ID and secret aren't included in the POST body, but rather are placed in the HTTP Authorization header following the rules of HTTP Basic Auth(opens new window) .
Note the parameters that are being passed:
client_credentials, indicating that we are using the Client Credentials grant type.
scope must be at least one custom scope that you create. See the Create Scopes section of the Create an Authorization Server guide.
If the credentials are valid, the application receives an access token:
Base64 encode the client ID and client secret
Use this section to Base64 encode the client ID and secret. When you finish encoding, you can then use the encoded client ID and secret in the HTTP Authorization header in the following format:
'authorization: Basic <Base64 encoded client ID and secret>'
- Sign in to your Okta organization with your administrator account.
- In the Admin Console, go to Applications > Applications.
- Select the application that you want to use, and then on the General tab, copy the Client ID and Client secret.
- Launch your preferred text editor and then paste the client ID and secret into a new file.
- Place the client ID and secret on the same line and insert a colon between them:
- Copy the
- Access the base64encode.org(opens new window) web site and paste the
clientid:clientsecret line in the Encode to Base64 format box.
- Leave UTF-8 as the Destination character set and click Encode.
- Copy the encoded line that appears.
To encode the client ID and secret using the command line on Mac or Linux:
Follow steps 1 through 4 above.
Launch a terminal and enter the following command, replacing
clientid:clientsecret with the value that you just copied to the clipboard.
echo -n clientID:clientsecret | base64
Copy the value that is returned.
Note: If the value that is returned is broken into more than one line, return to your text editor and make sure that the entire results are on a single line with no text wrapping.
To encode the client ID and secret using the command line on Windows:
Follow steps 1 through 3 above.
Save the file to
C:\temp and name the file
In Windows Explorer, right-click
C:\temp, and then select CMD Prompt Here from the context menu.
Enter the following command to encode the client ID and client secret:
copycertutil -encode appCreds.txt appbase64Creds.txt
Locate and open
C:\temp, copy its contents, and then close the file.
Note: Delete the
appCreds.txt and the
appbase64Creds.txt files after you finish.
Validate access token
When your application passes a request with an access token, the resource server needs to validate it. See Validate access tokens.