My app is configured to use PKCE for client authentication and I’m trying to use Postman to get a new access token but it’s coming back with: Error: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.
I’m seeing the Authorization header being set in the POST https://dev-587152.okta.com/oauth2/default/v1/token call. In the body, I’m seeing code, code_verifier, and client_id being set. I’m not seeing client_assertion being set in the body.
What can be done so Postman is able to get a new access token?
As your application does not have a client secret (using PKCE for client authentication instead), Client ID in the request body should be all you need.
Can you try removing the Authorization header from your request and seeing if that works?
After hand-crafting the Get New Access Token call (instead of using the built-in Postman button) and not including the Authorization header, I’m now getting Invalid value for 'client_id' parameter. even though the value was copied and pasted directly from my app config in Okta. errorCauses is empty.
In the okta admin site I only enabled auth code (no implicit) for my app. I do see I added this under “Login Redirect URIs”… https://oauth.pstmn.io/v1/callback
…and also under trusted origins…
I see that your config is similar.
Also, your callback URL is https://localhost:44300. Make sure to whitelist that in Okta admin console as well, if you haven’t already.
This is the request I see in the Postman Console -
@vijet I initially had URLs like yours and I’d always get a 400 error
…/oauth2/v1/…
Somebody told me to specify default (as I see @november.yankee is already doing) and then it started working
…/oauth2/default/v1/…
Would be cool if postman detected expired tokens and re-challenged for credentials. Or at least make it obvious that the token expired – it’s something like 5 clicks to get to the token list.
{yourOktaDomain}/oauth2/v1/ is Okta org Authorization server. This endpoint gives you tokens using which you can make calls to Okta APIs. i.e. this protects Okta APIs {yourOktaDomain}/oauth2/default/v1/ is Custom Authorization server (named as default). This endpoint is used to protect your own custom APIs.
I tried with /default/v1 endpoint and this config works for that as well.
Here’s the difference between the 2 servers - https://developer.okta.com/docs/concepts/auth-servers/#available-authorization-server-types