Repository files navigation

This example app shows how to use Node and Express to build an API that supports OAuth 2.0's client credentials.

Please readSecure a Node API with OAuth 2.0 Client Credentials to see how this app was created.

Prerequisites:Node.js.

Okta has Authentication and User Management APIs that reduce development time with instant-on, scalable user infrastructure. Okta's intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.

• Getting Started
• Links
• Help
• License

To install this example application, run the following commands:

git clone https://github.com/oktadeveloper/okta-node-client-credentials-flow-example.gitcd okta-node-client-credentials-flow-example

This will get a copy of the project installed locally. To install all of its dependencies, run:

npm install

To run the app:

npm run dev

Then, in a separate terminal window, run the following test to connect to it.

node test.js

Log in to your Okta Developer account (orsign up if you don’t have an account) and navigate toApplications >Add Application. ClickSingle-Page App, clickNext, and give the app a name you’ll remember. ClickDone.

The authorization server is where clients can request a token to use on your API server. Inside the Okta dashboard, click on theAPI tab in the header, then select theAuthorization Servers tab. ClickAdd Authorization Server, then give your server a useful name and description. TheAudience should be an absolute path for the server that will be consuming the tokens.

Once you create the authorization server, you will need a scope for your clients to access. Click theScopes tab and add a scope. You can have many of these, which can help define what parts of the API are being used, or even who is using it.

Now that you have a scope, you also need to specify some rules to say who has access to it. Click theAccess Policies tab and create a new policy. For now, just allow access toAll clients. Then clickAdd Rule and give it a name. Since this is only for client credentials, remove the other grant types for acting on behalf of a user (Authorization Code,Implicit, andResource Owner Password) so the only grant type isClient Credentials. Aside from that, just use the default settings for now.

Back on theSettings tab, take note of theIssuer. This is the address clients will use to request a token, and what your API server will use to verify that those tokens are valid.

In your Okta dashboard, click onApplications in the top header. Applications are also known as clients, so this is where you can create a test client. ClickAdd Application and chooseService (Machine-to-Machine). The only information it needs is a name, so you can use something likeTest Client. This will give you the credentials for your client (in this testing case, that would be you).

Modify.env to use the settings you specified above.

ISSUER=https://{yourOktaDomain}/oauth2/abcdefg1234567DEFAULT_SCOPE=such_scopeTEST_CLIENT_ID={yourClientId}TEST_CLIENT_SECRET={yourClientSecret}

NOTE: The value of{yourOktaDomain} should be something likedev-123456.oktapreview.com. Make sure you don't include-admin in the value!

This example uses the following libraries provided by Okta:

• Okta JWT Verifier

Please post any questions as comments on theblog post, or visit ourOkta Developer Forums. You can also emaildevelopers@okta.com if would like to create a support ticket.

Apache 2.0, seeLICENSE.