Authorization fail with invalid_client: No client credentials found

yossilili · 2018-11-19 12:29:09 UTC

Hi,

I’m doing a MFA on native mobile app: first username & password, then SMS code verification. This works great.
When I’m calling to rest API oauth2/default/v1/authorize, with code challenge (PKCE), I receive a redirect response with code. Calling to oauth2/default/v1/token with the following params:

The returned code
The code verifier used to create the code challenge
grant_type=authorization_code
redirect uri

This call results: invalid_client: No client credentials found.

What am I missing?

Thanks

bdemers · 2018-11-19 20:35:25 UTC

Hey @yossilili!
Which client library are you using, and how do you have it configured?

yossilili · 2018-11-21 08:51:53 UTC

Hi,
I’m using you Rest API in iOS native app, since I want custom UI without web pages

bdemers · 2018-11-21 14:07:39 UTC

What does the content of your html message look like?

Govner · 2018-11-21 15:04:03 UTC

client_id Required if client has a secret and client credentials are not provided in the Authorization header.

yossilili · 2018-11-22 09:40:16 UTC

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.

yossilili · 2018-11-26 14:50:13 UTC

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.

bdemers · 2018-11-26 15:17:45 UTC

Hey @yossilili

Take a look at this example from @micah.silverman
It’s javascript, but there isn’t much logic there so it should be portable to your language of choice (and this CLI tool/script may help you verify that your Okta Application is setup correctly)

Keep us posted!

yossilili · 2018-11-29 12:40:29 UTC

Hi,

I used the example you send me with our Okta application, but it didn’t work.
Code verifier is at the same pattern as the js example code you send me, and same code challenge generated from my project and the js example code you send me.

But still, I’m receiving invalid_client: No client credentials found error.

Any idea? do you have logs you can check what is missing?

Best,

Yossi

bdemers · 2018-11-29 14:41:21 UTC

Sounds like the problem is with the configuration of your Okta Application. Can you share a screenshot or the config details?

Lootkeeper · 2018-12-03 08:45:17 UTC

(deleted) Problem was solved. Just figured out, that i have created a wrong application type.

yossilili · 2018-12-03 15:13:29 UTC

For us, the problem still happens. Those are out configurations

bdemers · 2018-12-03 16:39:19 UTC

@yossilili

What does your application’s configuration look like?

yossilili · 2018-12-03 20:59:17 UTC

Sorry, those are the configuration screenshots

yossilili · 2018-12-10 14:38:28 UTC

Did you get a chance to check my screenshot?

micah.silverman · 2018-12-12 16:04:45 UTC

Hey there:

Looking over your requests, I see two things:

the call to /token must be a POST
the call to /token must also include the client_id= param

When I leave off client_id, I get the same result you did. With the client_id, it works great!

Hope this helps!

yossilili · 2018-12-16 09:36:22 UTC

Hi Micah,

It worked. Thanks for your help.

By the way, the documentation of /token api is a bit confusing.

According the documentation, client_id is required only when client has a secret and client credentials are not provided in the Authorization header. I thought that this means client_id is required only when using client secret instead of PKCE.