0

I want to test the Okta clientId and clientSecret provided by customer for OIDC configuration in my application. The only API I see helpful is the token API ({issuerURI}/oauth2/default/v1/token) but this API requires the admin to create a custom scope for the authorization server to be passed as value for "scope" parameter along with "grant_type: client_credentials". This impacts the user experience. The existing default scopes such as "openid, email, profile" etc. do not work with "client_credentials" grant_type. Is there a way to validate the clientId and clientSecret?

Sumit Jindal
  • 363
  • 1
  • 7
  • 17

1 Answers1

2

The only way to validate client_id/secret is to try to authenticate and get a token.

As there is no user involved, you don't use the classic openid or email scopes, because the client_credentials flow is only for machine-to-machine communication and in this flow you don't need any user details.

You can configure the backend to include custom claims if you need to.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • The only option left is to tell the user to create a custom scope and provide it along with the client credentials. Thanks for the information! – Sumit Jindal May 10 '21 at 16:40
  • if you could elaborate more about what you are trying to achieve, then perhaps there is a better solution? Why do you need to create new scopes? perhaps it can be acheived using claims in the access token and authorization rules in the API? – Tore Nestenius May 10 '21 at 17:14
  • Sure. So my application authenticates a user with Okta login and the redirect to Okta is done via Oauth2_proxy (which uses OIDC). For this the customer needs to configure its Okta in my application UI (OIDC will use clientId, clientSecret, IssuerURI). I need to validate the credentials (with a button called "Test connection") provided by admin before persisting them to my data store. – Sumit Jindal May 10 '21 at 17:18
  • perhaps just ask for an access token without any scopes? give it a try! – Tore Nestenius May 10 '21 at 18:18
  • Tried. The API gives 400 error. Although this can be a workaround assuming that the error is not 401 unauthorised and the error text is descriptive enough. – Sumit Jindal May 10 '21 at 19:09
  • Yes, it validates my knowledge and gives idea on solving this problem. Thank you! – Sumit Jindal May 11 '21 at 06:20