I’m doing a MFA on native mobile app: first username & password, then SMS code verification. This works great.
When I’m calling to rest API oauth2/default/v1/authorize, with code challenge (PKCE), I receive a redirect response with code. Calling to oauth2/default/v1/token with the following params:
The returned code
The code verifier used to create the code challenge
grant_type=authorization_code
redirect uri
This call results: invalid_client: No client credentials found.
The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.
I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.
The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.
I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.
Take a look at this example from @micah.silverman
It’s javascript, but there isn’t much logic there so it should be portable to your language of choice (and this CLI tool/script may help you verify that your Okta Application is setup correctly)
I used the example you send me with our Okta application, but it didn’t work.
Code verifier is at the same pattern as the js example code you send me, and same code challenge generated from my project and the js example code you send me.
But still, I’m receiving invalid_client: No client credentials found error.
Any idea? do you have logs you can check what is missing?
By the way, the documentation of /token api is a bit confusing.
According the documentation, client_id is required only when client has a secret and client credentials are not provided in the Authorization header. I thought that this means client_id is required only when using client secret instead of PKCE.