Client Secret Invalid

I’m trying to set up a new OAuth application and API in my Okta account. Following the guides posted here ( and here (, I was able to create an application and authorization server.

Unfortunately, when testing, I’m receiving the following error:

. {“error”:“invalid_client”,“error_description”:“The client secret supplied for a confidential client is invalid.”}

The error would imply that my client_secret is incorrect. However, I copied the client id and secret from the application. In addition, I encoded the client ID and client secret appropriately ( echo client_id:client_secret | base64 ). Here’s the curl statement that I’m using for testing:

curl --request POST
–url {AUTH_SERVER}/v1/token
–header ‘accept: application/json’
–header ‘Authorization: Basic $AUTH’
–header ‘cache-control: no-cache’
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=client_credentials&scope=custom_scope+offline_access’

Any thoughts on what might be up?

Hi @faryenwede,

I was able to get this working by doing the following -

  1. Create a service application and note client_id and client_secret.
  2. Generate the base64 encoded auth header using (client_id:client_secret)
  3. Create a custom scope on your custom authorization server (I used the default authorization server)
  4. Make the following curl request -
curl --request POST \
  --url \
  --header 'accept: application/json' \
  --header 'authorization: Basic MG9h....' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&scope=custom'

Make sure you’re using the right /token endpoint, the right encoding, and also try with only custom_scope first.
If you can post screenshots of your application and auth server, that might give some clues.

Thank you. That was the solution.

1 Like