Okta Configuration For Client Credentials Authentication

  • Published on Nov 18, 2025
  • 3 minute(s) read
Prev Next

1.0 Introduction

This guide describes how to configure Okta as an OAuth 2.0 authorization server to enable machine-to-machine (M2M) authentication using the Client Credentials Flow for onboarding an Amazon Web Services (AWS) connection in Fortanix Key Insight.

Configuring Okta involves the following steps:

  1. Configure an OAuth 2.0 API Service application (app) in Okta.

  2. Configure an authorization server in Okta.

  3. Obtain a JSON Web Token (JWT) access token from Okta.

  4. Onboard an AWS connection using the Client Credentials flow in Fortanix Key Insight.

2.0 Prerequisites

The following prerequisites are required to set up Okta for M2M authentication when onboarding an AWS connection in Fortanix Key Insight:

  • Access to Fortanix Key Insight

  • Access to an AWS account

  • Access to an Okta organization with permissions to create applications and authorization servers

  • Basic knowledge of the OAuth 2.0 Client Credentials flow

3.0 Add an OAuth 2.0 Application in Okta

Perform the following steps to subscribe to the Okta developer account and create an OAuth 2.0 (Client Credentials) app:

  1. Navigate to the Okta Developer Portal and log in using your credentials.

  2. Go to Applications → Applications.

  3. Click Create App Integration.

    A screenshot of a computer AI-generated content may be incorrect.

    Figure 1: Add an application in Okta

  4. On the Create a new app integration dialog box, select API Services, and click Next.

  5. On the New API Services App Integration page, enter the App integration name and click Save to create the app.

  6. After the app is created, copy the Client ID and Client secret values. You will need these values later in the Fortanix Key Insight user interface (UI) when setting up the IdP configuration for an AWS connection using the Client Credentials flow.

    For more information on setting up an IdP configuration using the Client Credentials flow during AWS connections onboarding, refer to Getting Started with Cloud Connection.

    A screenshot of a computer AI-generated content may be incorrect.

    Figure 2: Save Client ID and Client Secret

4.0 Configure Authorization Server Settings in Okta

After creating the app, perform the following steps to add and configure an authorization server in Okta:

  1. Navigate to Security → API. You will see the default API configuration, where the Audience value is set to api://default.

  2. Click Add Authorization Server.

    A screenshot of a computer AI-generated content may be incorrect.

    Figure 3: Add an authorization server

  3. In the Add Authorization Server dialog box,

    1. Enter a Name, Audience and Description (Optional).

    2. Click Save to create a new authorization server.

    After adding the authorization server, you can access its configuration details.

  4. On the authorization server details page, go to the Scopes tab to view the list of default scopes. Click Add Scope to add a new custom scope:

    NOTE

    Select the Set as Default scope check box to mark this scope as the default.

    A screenshot of a computer AI-generated content may be incorrect.

    Figure 4: Add a Scope

  5. On the authorization server details page, go to the Access Policies tab and click Add Policy.

  6. In the Add Policy dialog box, perform the following:

    1. Enter a Name.

    2. Enter a Description.

    3. Set the Assign to field to All clients.

    4. Click Create Policy to add a new policy.

  7. For the created policy, click Add Rule.

  8. In the Add Rule dialog box,

    1. Add a Rule Name.

    2. Set Grant Type to Client Credentials.

    3. Click Add Rule to add the rule to the policy.

    Figure 5: Add a new rule

5.0 Obtain a JWT Access Token from Okta

Perform the following steps to obtain a JWT access token from Okta:

  1. On the authorization server details page, go to the Settings tab and open the Metadata URI in a new browser tab.

    A screenshot of a computer AI-generated content may be incorrect.

      Figure 6: Access Well-known URI

    NOTE

    Copy the Metadata URI value. You will need this value later in the Fortanix Key Insight UI as the Well-Known URL when setting up the IdP configuration for an AWS connection using the Client Credentials flow.

    For more information on setting up an IdP configuration using the Client Credentials flow during AWS connections onboarding, refer to Getting Started with Cloud Connection.

  2. In the metadata JSON, locate the token_endpoint. For example, https://<yourdomain>.okta.com/oauth2/default/v1/token.

  3. Run the following cURL command to obtain a JWT Access Token:

    curl -X POST --user <app client id>:<app client secret> '<token_endpoint>?grant_type=client_credentials' -H 'Content-Type: application/x-www-form-urlencoded'

    Where,

  4. The response includes a JWT access token.

    Example:

    Figure 7: Access Token

    This confirms that the Client Credentials flow is working correctly.

6.0 Onboard an AWS Connection with Client Credentials Flow

After completing the Okta configuration, provide the following details in Fortanix Key Insight when onboarding the AWS connection using the Client Credentials flow:

  • Client ID

  • Client Secret

  • Well-known URL

  • Scopes (If any custom scopes were created in Okta)

For more information on setting up an IdP configuration using the Client Credentials flow during AWS connections onboarding, refer to Getting Started with Cloud Connection.