Authorisation Error: invalid_client: Client authentication failed.Either the client or the client credentials are invalid

Hi
I was configuring Add user authentication to your iOS app | Okta Developer to our iOS application ( Browser SignIn ), to replace an old OktaSDK .
I can see the Okta Login page and have successfully received the duo push after entering my credentials . But later it says “Authorisation Error: invalid_client: Client authentication failed.Either the client or the client credentials are invalid”.

Our current okta app is having Client secret ,setup under the ‘Client authentication’, so we tried removing the secret and made Client authentication to none . And this time it works , getting the user details in the callback. But we cannot really make client authentication ‘none’. How can we get the data in callback enabling client secret in the OktaApp Settings. Can someone help on this, Please?

Hello,
It sounds like in Okta you have a single application setup which has both a Web application (can secure a secret), and a Mobile application (can’t secure a secret) pointing to it?

If so you should create 2 applications in Okta, one for the web application where you have a trusted server to secure the secret, and one for the mobile application.
For the mobile application configure the flow to be Authorization + PKCE.

PKCE is used for situations such as this where the client will be making the /token request instead of a trusted server.

The following is a good blog post describing PKCE,

Hi …We don’t have two applications. In the existing iOS mobile application we are configuring the OIDC Browser signin . When we enable client secret in the oktaApp settings page, authentication fails. How can I validate the user with client secret. Simply tried including the secret key in the plist. But no luck. May I know the proper way of using client secret for client authentication in mobile app side. @erik

The Okta Mobile SDKs do not support storing a client secret to do an authorization flow, they only support the authorization w/PKCE.
If you want to store a client secret within a mobile application (not recommended), you will not be able to use the Okta SDK, or can fork it an add that capability.

1 Like

@erik Do we have to publish this internal app as well, on the OIN?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.