Getting "confidential client" error

I followed the steps here:

and then ran this:

curl -X POST
https://dev-XXXXXX.oktapreview.com/oauth2/ausl2ncr0ftfu3Kmn0h7/v1/token
-H ‘Cache-Control: no-cache’
-H ‘Content-Type: application/x-www-form-urlencoded’
-d ‘username=xxx@yyy.com&password=#######&grant_type=password&scope=openid’

and ended up with this error:

{“error”:“invalid_client”,“error_description”:“The client secret supplied for a confidential client is invalid.”}

Any ideas?

Hi @joe.mcmahon

Can you please check if the Authorization header contains the correct credentials? The algorithm for the header should look something like

"Authorization: Basic " + base64_encode(client_id + ":" + client_secret)
1 Like

Yes, sorry, I didn’t cut & paste the whole thing. I have the following (abbreviated here) as the 2nd line before the Cache Control one:

-H ‘Authorization: Basic MG9hbH…VdAo=’

Hi @joe.mcmahon

Would it be possible to send us an email to developers@okta.com in order to have this further investigated internally?

You’ll also need to add offline_access scope in addition to openid for the password flow

Hi, I am having the same issue. Was this resolved ?
@micah.silverman, how do you “add offline_access scope” ? is scope comma separated ? I tried that and it did not solve the issue.

Thanks

Hi @daveh

Can you please use a different base64 encoder in order to encode the client id and client secret in the authorization header?

scopes are space separated and url encoded. So, you’d use a plus sign (+):

scope=openid+offline_access

Also, you need to use a custom authorization server, as opposed to the org level authorization server.

So, the token endpoint would be something like:

https://micah.okta.com/oauth2/aus2yrcz7aMrmDAKZ1t7/v1/token

not

https://micah.okta.com/oauth2/v1/token

Hi @dragos, When I switched to python rather than linux command line, it worked. There was 1 character different in the encoded string. No idea why…
Thanks !

Awesome, Thanks for your help.