Following client_credentials flow docs but getting 'Invalid value for client_id'

I created a Service Application in my Okta account using the documents found here:

I moved on to the next page in the sequence and setup custom scopes according to the linked document.

At this point I expected to be able to get a token from the /v1/token API endpoint on my auth server based on these instructions:

curl -Ssi \                                                                                                                          
  --request POST \                                                                                                                   
  --url "${OKTA_AUTH_URL}/v1/token" \                                                                                                
  --header 'accept: application/json' \                                                                                              
  --header "authorization: Basic ${OKTA_CLIENT_ID}:${OKTA_CLIENT_SECRET}" \                                                          
  --header 'cache-control: no-cache' \                                                                                               
  --header 'content-type: application/x-www-form-urlencoded' \                                                                       
  --data "grant_type=client_credentials&scope=${custom_scope}"

I have reviewed the values in OKTA_AUTH_URL, OKTA_CLIENT_ID, and OKTA_CLIENT_SECRET and crossed checked them with what I have in the admin console.

I received a 400 response with the following body payload in JSON:

{"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaelOm9cjrJRmCCH_7VIo-IaA","errorCauses":[]}

My questions:

  • Is it apparent what I am doing wrong from the above description?
  • What should I check in my authorization server setup?
    • Is there anything I could have missed in my access policy or rules setup attaching the service client/application in the auth server I am hitting?
  • Is there a way I can look up the errorId in the error message in my admin interface for more tracing capability?

I realized I wasn’t base64-ing the string “{OKTA_CLIENT_ID}:{OKTA_CLIENT_SECRET}”. Once I resolved that I moved on to the next error.

Hi @mbbx6spp

What is the current error that you are seeing?