Client secret, Resource Owner Flow

As per OAuth Specs, for Resource Owner Flow, you can call /token resource without having to provide client secret,
only username, password, grant_type, scope and client id.
client secret should be optional.
How to configure resource owner flow application that has the client secret as optional.

I have created an Native app, and allowed the resource owner password, but when calling /token API, it always reject the request with the below error:
“error”: “invalid_client”,
“error_description”: “Client authentication failed. Either the client or the client credentials are invalid.”

Also as per OKTA blog, client secret should be optional for Resource Owner Flow:

Is your application configured as a public client or does it have a Client Secret generated. If your application has a client secret available, your request will need to provide it for client authentication.

Can you update your Native application in Okta to “Use PKCE” instead of “Use Client Authentication” on the General Settings tab (as below) and retry the Resource Owner Password flow?

Thanks @andreaskouras for your reply, however PKCE is not applicable for Resource Owner flow, My client won’t be able to generate a PKCE, also I don’t want the extra call step to retrieve the token from authorization code, PKCE is fine for Authorization Code Flow with PKCE

The flow that I am using is Resource Owner Password Flow which doesn’t include any PKCE generation.

As per the standards for Resource owner flow client secret is optional.

Hi @Alizahran

By design, the resource owner password flow requires an Authorization header containing the app credentials.

I’d like to encourage you to raise this as a feature enhancement request over our Okta Community here.

Features suggested in our community are reviewed and can be voted and commented on by other members of the community, therefore making it much easier for the engineering team to prioritize the new features.