Client authentication using private_key_jwt failing with "Cannot supply multiple credentials"

Questions
1

Client authentication to token endpoint using private_key_jwt “failing with invalid_request (Cannot supply multiple client credentials”

I have added an Oauth 2 client app using the api. I have included a public key that corresponds to the private key that is used to generate the client assertion. From my traces I can see the POST to the token endpoint which includes the client assertion in the body. I don’t see any other credentials in the header of the request. Yet I still received the response “Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body”.

Any clues about how to troubleshoot this?

2

Hi @padonnelly,

Can you post your request here?
I have been able to get the access token from /token endpoint using postman successfully before.
Also, if you tell us how you created the OAuth 2 client app, that might be helpful.

Regards,
Vijet

3

Vijet - thanks for responding. (subject to the five link limit) here is request and response, and also the client application config.

–> POST https://dev-605035.okta.com/oauth2/default/v1/token
–> HEADERS {
‘user-agent’: ‘openid-client/3.12.2 (https://github.com/panva/node-openid-client)’,
accept: ‘application/json’,
‘accept-encoding’: ‘gzip, deflate’,
‘content-type’: ‘application/x-www-form-urlencoded’,
‘content-length’: 997
}
–> BODY grant_type=authorization_code&code=1BUAg8LpA8ENui043UCS&redirect_uri=https%3A%2F%2Fcareappconnect.ngrok.io%2Fauth%2Fnhssandbox%2Fredirect&client_id=0oa3w0bdzqtM8i181357&client_assertion=eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6InVvYmQ2SjZJakpxYTE1cDVsbHhGY1RyakxzbVV2cDZ0ZjRNUURyTjI5aFkifQ.eyJpYXQiOjE1ODk1MzI4MTMsImV4cCI6MTU4OTUzMjg3MywianRpIjoiY1g0TDBxR1JSU095X1RvRHFkT0VFVW9nU1hOS0JOdzBzcEt1M2ZIZnJNVSIsImlzcyI6IjBvYTN3MGJkenF0TThpMTgxMzU3Iiwic3ViIjoiMG9hM3cwYmR6cXRNOGkxODEzNTciLCJhdWQiOiJodHRwczovL2Rldi02MDUwMzUub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQvdjEvdG9rZW4ifQ.IWY_fMPFSxu6eYgoxCVge-OF6b8mUcrKnWRqT3R6dRDzLe5lr5WvQRp2K4AHfxrMWBN8V-fuYpJs6JoreF7Gnmc06aCd9BVV4IH312UlXzQRtxvcDaepi6bHLBKowiZZIOZ7dFgYrnZgQq3YuaEl_dzI-eO73wNGdT55qMJEZ5w9Z-KTVFbFiMTmQkkskrkJCivfzad4Kj_xZTTXzsZA_-n_q3bFeCPqnDF1So6z60rcibM5Ref_VFkyM-CXjkzBTCw5GxK0Oz2hy7SgKml0x0IP764wk9ZqcFOlq03Snx-1mPvkoTD940e8-ppdbWjBX2cwUHOJXu4oMls33u4RxQ&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer

<-- 401 FROM POST https://dev-605035.okta.com/oauth2/default/v1/token
<-- BODY {“error”:“invalid_request”,“error_description”:“Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.”}

4 
{
    "id": "0oa3w0bdzqtM8i181357",
    "name": "oidc_client",
    "label": "NHS Simulator",
    "status": "ACTIVE",
    "lastUpdated": "2020-05-14T13:28:29.000Z",
    "created": "2020-05-13T11:33:29.000Z",
    "accessibility": {
        "selfService": false,
        "errorRedirectUrl": null,
        "loginRedirectUrl": null
    },
    "visibility": {
        "autoSubmitToolbar": false,
        "hide": {
            "iOS": true,
            "web": true
        },
        "appLinks": {
            "oidc_client_link": true
        }
    },
    "features": [],
    "signOnMode": "OPENID_CONNECT",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.login}",
            "type": "BUILT_IN"
        },
        "signing": {
            "kid": "A0JLuQsnm2vKLf8zjMkOwTftB7JzRitmXONa-h5BQh8"
        },
        "oauthClient": {
            "autoKeyRotation": true,
            "client_id": "0oa3w0bdzqtM8i181357",
            "token_endpoint_auth_method": "private_key_jwt"
        }
    },
    "settings": {
        "app": {},
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                },
                "message": null,
                "helpUrl": null
            }
        },
        "oauthClient": {
            "jwks": {
                "keys": [
                    {
                        "kty": "RSA",
                        "kid": "uobd6J6IjJqa15p5llxFcTrjLsmUvp6tf4MQDrN29hY",
                        "use": "sig",
                        "e": "AQAB",
                        "n": "lojuZLF9ocSWHCrLSdVSHmTzwTltjr_8r-nBrPRXjBuKheSdIVXpSVKNSX9qNSJKsS_XDgLuZXvCW1L-caT8ovEXGazmq6azrgwAz2eNUr2NpjqBLvmg1pI52tPBgE0Ld1HHFO2B6eBsocf8au9NqZj9jci3KB6ztCitNzUcp_HTeiH0gRAvwXIthikjIHrXzqzDm39mf03J2jhTvsVYDFMtXQ0N1E2DB84pC2UgUMbevbV9ov8uB3gAvKN6fDrFUg98-3-Yoc8XuOkfVV-bIKCtGsyG0NIJea0p5bvrmT4Kr3Ez5uRArYDA9KYBV6LA3MHKigcYaIwTDFGjJ--X_w"
                    }
                ]
            },
            "client_uri": null,
            "logo_uri": null,
            "redirect_uris": [
                "https://careappconnect.ngrok.io/auth/nhssandbox/redirect"
            ],
            "response_types": [
                "code"
            ],
            "grant_types": [
                "authorization_code"
            ],
            "application_type": "web",
            "request_object_signing_alg": "RS512",
            "issuer_mode": "ORG_URL"
        }
    },
    "_links": {
        "appLinks": [
            {
                "name": "oidc_client_link",
                "href": "https://dev-605035.okta.com/home/oidc_client/0oa3w0bdzqtM8i181357/aln177a159h7Zf52X0g8",
                "type": "text/html"
            }
        ],
        "groups": {
            "href": "https://dev-605035.okta.com/api/v1/apps/0oa3w0bdzqtM8i181357/groups"
        },
        "logo": [
            {
                "name": "medium",
                "href": "https://ok7static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
                "type": "image/png"
            }
        ],
        "users": {
            "href": "https://dev-605035.okta.com/api/v1/apps/0oa3w0bdzqtM8i181357/users"
        },
        "deactivate": {
            "href": "https://dev-605035.okta.com/api/v1/apps/0oa3w0bdzqtM8i181357/lifecycle/deactivate"
        }
    }
},
5

Hi @padonnelly,

Shouldn’t the grant_type parameter in body be client_credentials? Can you change that and give it a try?
Another thing I can suggest is to try making a curl request by passing client_assertion as a query parameter instead.
Something like this

curl -X POST "https://{yourOktaDomain}/oauth2/v1/token"
    -H "Accept: application/json"
    -H "Content-Type: application/x-www-form-urlencoded"
    -d "grant_type=client_credentials \
    &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
    &client_assertion=eyJhbGciOiJSUzI1…..feCJfSqsJeEKGjJqp1accnXpPbCSi1-2UQ"
6

The scenario I’m trying to implement needs an authorization code flow. The end user is logging on using Okta so that they give consent to a web application to access their user information held on okta.

I will experiment with your suggestion - thanks. Although I’m puzzled because won’t a client secret be expected which would make the public/private key set arrangement superfluous?

Paul

7

Was there are resolution to this issue?

From my testing I receive this error if the “client_id” value is included in the payload along with the client_assertion and client_assertion_type. If the “client_id” is removed then the authorization code flow works as expected. My concern is around compliance with other providers and having to implement a variation to support Okta.

The examples provided in the Okta documentation include the “client_id” parameter as part of the payload.