Authorization fail with invalid_client: No client credentials found

yossilili · November 19, 2018, 12:29pm

Hi,

I’m doing a MFA on native mobile app: first username & password, then SMS code verification. This works great.
When I’m calling to rest API oauth2/default/v1/authorize, with code challenge (PKCE), I receive a redirect response with code. Calling to oauth2/default/v1/token with the following params:

The returned code
The code verifier used to create the code challenge
grant_type=authorization_code
redirect uri

This call results: invalid_client: No client credentials found.

What am I missing?

Thanks

bdemers · November 19, 2018, 8:35pm

Hey @yossilili!
Which client library are you using, and how do you have it configured?

yossilili · November 21, 2018, 8:52am

Hi,
I’m using you Rest API in iOS native app, since I want custom UI without web pages

bdemers · November 21, 2018, 2:07pm

What does the content of your html message look like?

Govner · November 21, 2018, 3:04pm

client_id Required if client has a secret and client credentials are not provided in the Authorization header.

yossilili · November 22, 2018, 9:40am

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.

yossilili · November 26, 2018, 2:50pm

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

Accept: application/json
Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.

bdemers · November 26, 2018, 3:17pm

Hey @yossilili

Take a look at this example from @micah.silverman
It’s javascript, but there isn’t much logic there so it should be portable to your language of choice (and this CLI tool/script may help you verify that your Okta Application is setup correctly)

Keep us posted!

yossilili · November 29, 2018, 12:40pm

Hi,

I used the example you send me with our Okta application, but it didn’t work.
Code verifier is at the same pattern as the js example code you send me, and same code challenge generated from my project and the js example code you send me.

But still, I’m receiving invalid_client: No client credentials found error.

Any idea? do you have logs you can check what is missing?

Best,

Yossi

bdemers · November 29, 2018, 2:41pm

Sounds like the problem is with the configuration of your Okta Application. Can you share a screenshot or the config details?

Lootkeeper · December 3, 2018, 9:24am

(deleted) Problem was solved. Just figured out, that i have created a wrong application type.

yossilili · December 3, 2018, 3:13pm

For us, the problem still happens. Those are out configurations

bdemers · December 3, 2018, 4:39pm

@yossilili

What does your application’s configuration look like?

yossilili · December 3, 2018, 8:59pm

Sorry, those are the configuration screenshots

yossilili · December 10, 2018, 2:38pm

Did you get a chance to check my screenshot?

micah.silverman · December 12, 2018, 4:04pm

Hey there:

Looking over your requests, I see two things:

the call to /token must be a POST
the call to /token must also include the client_id= param

When I leave off client_id, I get the same result you did. With the client_id, it works great!

Hope this helps!

yossilili · December 16, 2018, 9:36am

Hi Micah,

It worked. Thanks for your help.

By the way, the documentation of /token api is a bit confusing.

According the documentation, client_id is required only when client has a secret and client credentials are not provided in the Authorization header. I thought that this means client_id is required only when using client secret instead of PKCE.