As per OAuth Specs, for Resource Owner Flow, you can call /token resource without having to provide client secret,
only username, password, grant_type, scope and client id.
client secret should be optional.
How to configure resource owner flow application that has the client secret as optional.
I have created an Native app, and allowed the resource owner password, but when calling /token API, it always reject the request with the below error:
{
“error”: “invalid_client”,
“error_description”: “Client authentication failed. Either the client or the client credentials are invalid.”
}
Also as per OKTA blog, client secret should be optional for Resource Owner Flow:
Is your application configured as a public client or does it have a Client Secret generated. If your application has a client secret available, your request will need to provide it for client authentication.
Can you update your Native application in Okta to “Use PKCE” instead of “Use Client Authentication” on the General Settings tab (as below) and retry the Resource Owner Password flow?
Thanks @andrea for your reply, however PKCE is not applicable for Resource Owner flow, My client won’t be able to generate a PKCE, also I don’t want the extra call step to retrieve the token from authorization code, PKCE is fine for Authorization Code Flow with PKCE
I’d like to encourage you to raise this as a feature enhancement request over our Okta Community here.
Features suggested in our community are reviewed and can be voted and commented on by other members of the community, therefore making it much easier for the engineering team to prioritize the new features.
