Getting "confidential client" error

joe.mcmahon · June 24, 2019, 4:58pm

I followed the steps here:

and then ran this:

curl -X POST
https://dev-XXXXXX.oktapreview.com/oauth2/ausl2ncr0ftfu3Kmn0h7/v1/token
-H ‘Cache-Control: no-cache’
-H ‘Content-Type: application/x-www-form-urlencoded’
-d ‘username=xxx@yyy.com&password=#######&grant_type=password&scope=openid’

and ended up with this error:

{“error”:“invalid_client”,“error_description”:“The client secret supplied for a confidential client is invalid.”}

Any ideas?

dragos · June 25, 2019, 10:08am

Hi @joe.mcmahon

Can you please check if the Authorization header contains the correct credentials? The algorithm for the header should look something like

"Authorization: Basic " + base64_encode(client_id + ":" + client_secret)

joe.mcmahon · June 25, 2019, 11:15am

Yes, sorry, I didn’t cut & paste the whole thing. I have the following (abbreviated here) as the 2nd line before the Cache Control one:

-H ‘Authorization: Basic MG9hbH…VdAo=’

dragos · June 25, 2019, 11:45am

Hi @joe.mcmahon

Would it be possible to send us an email to developers@okta.com in order to have this further investigated internally?

micah.silverman · June 25, 2019, 12:44pm

You’ll also need to add offline_access scope in addition to openid for the password flow

daveh · January 22, 2020, 6:01am

Hi, I am having the same issue. Was this resolved ?
@micah.silverman, how do you “add offline_access scope” ? is scope comma separated ? I tried that and it did not solve the issue.

Thanks

dragos · January 22, 2020, 7:27am

Hi @daveh

Can you please use a different base64 encoder in order to encode the client id and client secret in the authorization header?

micah.silverman · January 22, 2020, 2:33pm

scopes are space separated and url encoded. So, you’d use a plus sign (+):

scope=openid+offline_access

Also, you need to use a custom authorization server, as opposed to the org level authorization server.

So, the token endpoint would be something like:

https://micah.okta.com/oauth2/aus2yrcz7aMrmDAKZ1t7/v1/token

not

https://micah.okta.com/oauth2/v1/token

daveh · January 22, 2020, 11:44pm

Hi @dragos, When I switched to python rather than linux command line, it worked. There was 1 character different in the encoded string. No idea why…
Thanks !

daveh · January 23, 2020, 12:01am

Awesome, Thanks for your help.

janusz · March 8, 2023, 5:29pm

I’ll just leave a note here, this happened to me but only when using Docker and the okta secret was wrapped with single quotes. While this worked just fine on bare metal server, somehow the value passed to Docker (also running on the railway.app platform) contained invalid characters ’

system · February 13, 2024, 12:38am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.