Authorization fail with invalid_client: No client credentials found

Hi,

I’m doing a MFA on native mobile app: first username & password, then SMS code verification. This works great.
When I’m calling to rest API oauth2/default/v1/authorize, with code challenge (PKCE), I receive a redirect response with code. Calling to oauth2/default/v1/token with the following params:

1. The returned code
2. The code verifier used to create the code challenge
3. grant_type=authorization_code
4. redirect uri

This call results: invalid_client: No client credentials found.

What am I missing?

Thanks

Hey @yossilili!
Which client library are you using, and how do you have it configured?

Hi,
I’m using you Rest API in iOS native app, since I want custom UI without web pages

What does the content of your html message look like?

client_id Required if client has a secret and client credentials are not provided in the Authorization header.

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

• Accept: application/json

• Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

• Accept: application/json

• Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

• Accept: application/json

• Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

• Accept: application/json

• Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.

Hey @yossilili

Take a look at this example from @micah.silverman
It’s javascript, but there isn’t much logic there so it should be portable to your language of choice (and this CLI tool/script may help you verify that your Okta Application is setup correctly)

Keep us posted!

Hi,

I used the example you send me with our Okta application, but it didn’t work.
Code verifier is at the same pattern as the js example code you send me, and same code challenge generated from my project and the js example code you send me.

But still, I’m receiving invalid_client: No client credentials found error.

Any idea? do you have logs you can check what is missing?

Best,

Yossi

Sounds like the problem is with the configuration of your Okta Application. Can you share a screenshot or the config details?

(deleted) Problem was solved. Just figured out, that i have created a wrong application type.

For us, the problem still happens. Those are out configurations

@yossilili

What does your application’s configuration look like?

Screen Shot 2018-12-03 at 17.11.08.png1448×892 67.5 KB

Screen Shot 2018-12-03 at 17.10.57.png1450×1416 141 KB

Sorry, those are the configuration screenshots

Did you get a chance to check my screenshot?

Hey there:

Looking over your requests, I see two things:

1. the call to /token must be a POST
2. the call to /token must also include the client_id= param

When I leave off client_id, I get the same result you did. With the client_id, it works great!

Hope this helps!

Hi Micah,

It worked. Thanks for your help.

By the way, the documentation of /token api is a bit confusing.

According the documentation, client_id is required only when client has a secret and client credentials are not provided in the Authorization header. I thought that this means client_id is required only when using client secret instead of PKCE.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.