Authorization fail with invalid_client: No client credentials found


#1

Hi,

I’m doing a MFA on native mobile app: first username & password, then SMS code verification. This works great.
When I’m calling to rest API oauth2/default/v1/authorize, with code challenge (PKCE), I receive a redirect response with code. Calling to oauth2/default/v1/token with the following params:

  1. The returned code
  2. The code verifier used to create the code challenge
  3. grant_type=authorization_code
  4. redirect uri

This call results: invalid_client: No client credentials found.

What am I missing?

Thanks


#2

Hey @yossilili!
Which client library are you using, and how do you have it configured?


#3

Hi,
I’m using you Rest API in iOS native app, since I want custom UI without web pages


#4

What does the content of your html message look like?


#5

client_id Required if client has a secret and client credentials are not provided in the Authorization header.


#6

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

  • Accept: application/json

  • Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

  • Accept: application/json

  • Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.


#7

Hi,

This is the ‘authorize’ request:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/authorize?client_id=0oahmliaoeDUe1hUM0h7&nonce=F9BA335B-1C42-46B2-9D90-CD7525A54941&response_type=code&scope=offline_access%20openid%20email&state=none&redirect_uri=lilibanking://authorized&prompt=none&code_challenge=OU0wFOxZeSw9rmHlXs-lpSHaVt8CkFHlJpxKXPp07ig&code_challenge_method=S256&sessionToken=20111Ejlx-Vi14hNhGunBfTwwUGobg4XC1wm0xDSyvyH3u2ip2RyxrQ

HTTP Headers:

  • Accept: application/json

  • Content-Type: application/x-www-form-urlencoded

This is the redirect request to ‘token’:

URL: https://dev-361990.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code&redirect_uri=lilibanking://authorized&code=ouhjfylR45gWjtOEwziW&code_verifier=Tc0TNk40R6jIquzUYGk62aaDRMcXkl3RcDGh1yrzXsSdK-pvbpSDzL_E2j6d819ht-xkeaow2EbFD1lM

HTTP Headers:

  • Accept: application/json

  • Content-Type: application/x-www-form-urlencoded

The ‘Client authentication’ is set to ‘Use PKCE (for public clients)’.

I tried to use client secret instead of PKCE and it works (I managed to get tokens), but when trying to use PKCE it returns error: invalid_client: No client credentials found. This is a mobile native app. We don’t (and shouldn’t according Oath2) store the client secret in the app bundle.


#8

Hey @yossilili

Take a look at this example from @micah.silverman
It’s javascript, but there isn’t much logic there so it should be portable to your language of choice (and this CLI tool/script may help you verify that your Okta Application is setup correctly)

Keep us posted!


#9

Hi,

I used the example you send me with our Okta application, but it didn’t work.
Code verifier is at the same pattern as the js example code you send me, and same code challenge generated from my project and the js example code you send me.

But still, I’m receiving invalid_client: No client credentials found error.

Any idea? do you have logs you can check what is missing?

Best,

Yossi


#10

Sounds like the problem is with the configuration of your Okta Application. Can you share a screenshot or the config details?


#11

(deleted) Problem was solved. Just figured out, that i have created a wrong application type.


#12

For us, the problem still happens. Those are out configurations


#13

@yossilili

What does your application’s configuration look like?


#14

Sorry, those are the configuration screenshots