Client Secret is missing from application created using API

Questions
1

Reference: https://developer.okta.com/docs/guides/implement-oauth-for-okta/create-oauth-app/
Step 1:

curl -X POST \
    -H 'Accept: application/json' \
    -H "Authorization: SSWS ${api_token}" \
    -H 'Content-Type: application/json' \
    -d ' {
        "client_name": "Service Client Name",
        "response_types": [
          "token"
        ],
        "grant_types": [
          "client_credentials"
       ],
        "token_endpoint_auth_method": "private_key_jwt",
        "application_type": "service",
        "jwks": {
              "keys": [
                     {
                       "kty": "RSA",
                       "e": "AQAB",
                       "use": "sig",
                       "kid": "O4O",
                       "alg": "RS256",
                       "n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"
                       }
                     ]
           }
    }' "https://${yourOktaDomain}/oauth2/v1/clients"

Step 2:

curl -X POST \
  -H 'Accept: application/json' \
  -H "Authorization: SSWS ${api_token}" \
  -H 'Content-Type: application/json' \
  -d '{
      "scopeId": "okta.users.read",
      "issuer": "https://{yourOktaDomain}"
  }' "https://${yourOktaDomain}/api/v1/apps/{serviceappclient_id}/grants"

image
image733×596 19.3 KB

In above screenshot client secret is missing. Is this expected?
Step 3:

curl -X POST "https://{yourOktaDomain}/oauth2/v1/token"
    -H "Accept: application/json"
    -H "Content-Type: application/x-www-form-urlencoded"
    -d "grant_type=client_credentials \
    &scope=okta.users.read \
    &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
    &client_assertion=eyJhbGciOiJSUzI1…..feCJfSqsJeEKGjJqp1accnXpPbCSi1-2UQ"

Error: [The issuer and subject claim for client_assertion is invalid because the client does not have a client secret]

2

Never tried it on my own, but I noticed from the doc, that your request to /token has to be grant_type=authorization_codehttps://developer.okta.com/docs/reference/api/oidc/#jwt-with-private-key

it’s kinda confusing and can be just related to their own examples, where the client would be created as authz_code flow one

also can you check if spaces in your data can be an issue when you are sending your /token request…

3

Closing this thread as duplicate of The issuer and subject claim for client_assertion is invalid because the client does not have a client secret.