Error: Cannot supply multiple client credentials

My app is configured to use PKCE for client authentication and I’m trying to use Postman to get a new access token but it’s coming back with: Error: Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.

I’m seeing the Authorization header being set in the POST call. In the body, I’m seeing code, code_verifier, and client_id being set. I’m not seeing client_assertion being set in the body.

What can be done so Postman is able to get a new access token?

As your application does not have a client secret (using PKCE for client authentication instead), Client ID in the request body should be all you need.

Can you try removing the Authorization header from your request and seeing if that works?

After hand-crafting the Get New Access Token call (instead of using the built-in Postman button) and not including the Authorization header, I’m now getting Invalid value for 'client_id' parameter. even though the value was copied and pasted directly from my app config in Okta. errorCauses is empty.

Hi @november.yankee,

Not sure what could be wrong with your postman setup but you can try the example mentioned in this blog -
You can step through the pkce code flow example in the following repo and see the requests being made in chrome and compare it to yours -

this is my PKCE config…

the variables I stuffed in the environment dropdown…

…but those variables common to all environments I should have probably placed here instead…

In the okta admin site I only enabled auth code (no implicit) for my app. I do see I added this under “Login Redirect URIs”…
…and also under trusted origins…

if it still doesn’t work then maybe try turning off cert verification…

I was able to get the Postman’s “Get Access Token” using OAuth 2.0 working with the below config -

I see that your config is similar. :confused:
Also, your callback URL is https://localhost:44300. Make sure to whitelist that in Okta admin console as well, if you haven’t already.

This is the request I see in the Postman Console -

@vijet I initially had URLs like yours and I’d always get a 400 error

Somebody told me to specify default (as I see @november.yankee is already doing) and then it started working

Would be cool if postman detected expired tokens and re-challenged for credentials. Or at least make it obvious that the token expired – it’s something like 5 clicks to get to the token list.

{yourOktaDomain}/oauth2/v1/ is Okta org Authorization server. This endpoint gives you tokens using which you can make calls to Okta APIs. i.e. this protects Okta APIs
{yourOktaDomain}/oauth2/default/v1/ is Custom Authorization server (named as default). This endpoint is used to protect your own custom APIs.
I tried with /default/v1 endpoint and this config works for that as well.
Here’s the difference between the 2 servers -

1 Like