Can't retrieve token

I created an App Integration in my Okta account using the documents found here:
https://developer.okta.com/docs/guides/implement-client-creds/setup-app/

I moved on to the next page in the sequence and setup the custom scope ‘api’ according to the linked document.

At this point I expected to be able to get a token from the /v1/token API endpoint on my developer auth server based on these instructions:
https://developer.okta.com/docs/guides/implement-client-creds/use-flow/
Note: I found an error in windows instructions: change ‘copycerutil’ to ‘certutil’

curl -Ssi \
  --request POST \
  --url "https://${OKTA_DOMAIN}/oauth2/default/v1/token" \
  --header 'accept: application/json' \
  --header "authorization: Basic ${Base64-encoded(OKTA_CLIENT_ID:OKTA_CLIENT_SECRET)}" \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data "grant_type=client_credentials&scope=api"

I have reviewed the values in OKTA_DOMAIN, OKTA_CLIENT_ID, and OKTA_CLIENT_SECRET and crossed checked them with what I have in the admin console.

I received a 400 response with the following body payload in JSON:

{"errorCode":"invalid_client","errorSummary":"A client_id must be provided in the request.","errorLink":"invalid_client","errorId":"oaeOWvKQh4RRgC72UzjhceYyA","errorCauses":[]}

Any hint as to what I am doing wrong?

What type of application did you create? If you instead format this call in Postman, can you get it to work (aka, maybe there is an issue with how you’re encoding your Authorization header)?

I followed the guide exactly, selecting “API Services”.
As to PostMan, unfortunately company policy does not allow me to install it on my machine. :frowning:
As to formatting of the auth header, I again followed the instructions exactly (which, by the way, need to be edited, since the Windows instructions for encoding the id/secret do not have all the information provided for the Non-Windows immediately above - like how to format the file with clientid:clientsecret on a single line).
So, to be explicit, my unencoded creds file looks like:
0oa4ro64j2i1ne07t5d7:Bb1mDAxD7ja6uzbt-UJ9rpSJsPfCKj1I3CUz-Pg3

I then ran:
certutil -encode appCreds.txt appbase64Creds.txt

Note, the instructions said "copycertutil -encode appCreds.txt appbase64Creds.txt " which is wrong.

Hi Joel, I wanted to let you know that I’ve tried this out on Windows and it looks like you’re right on about the certutil, and the -encode switch should encode it in Base 64. I’ve compared this with Postman’s conversion and they’re the exact same, so you should be good there.

I’d encourage you to retry copying and pasting your client ID and secret into your file, re-encoding it, and try it again. The only way I was able to reproduce this error is if the credentials didn’t match.

Also as a note, on Windows Command Prompt you’ll need to use ^ instead of \ to do a multi-line request. If it’s cutting off lines on you then that could also cause problems, but if you have a different terminal app this may not be a concern for you.

1 Like

Thanks for the feedback. I have tried several times to get this to work. I’ve deleted/readded the app in Okta. Recreated the B64 string. and recreated my curl using the new value. I’ve decoded the B64 file resulting in exactly what I started with. No joy. Nothing I do seems to make any difference. Is it possible there is some sort of curl setting causing an issue - perhaps a default encoding that doesn’t match what Okta expects? I’m at my wit’s end. This really shouldn’t be this hard.

Think we have identified the issue as being an issue with my machine. Thanks for all that looked into this.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.