I followed the steps here:
and then ran this:
curl -X POST
https://dev-XXXXXX.oktapreview.com/oauth2/ausl2ncr0ftfu3Kmn0h7/v1/token
-H ‘Cache-Control: no-cache’
-H ‘Content-Type: application/x-www-form-urlencoded’
-d ‘username=xxx@yyy.com&password=#######&grant_type=password&scope=openid’
and ended up with this error:
{“error”:“invalid_client”,“error_description”:“The client secret supplied for a confidential client is invalid.”}
Any ideas?
Hi @joe.mcmahon
Can you please check if the Authorization header contains the correct credentials? The algorithm for the header should look something like
"Authorization: Basic " + base64_encode(client_id + ":" + client_secret)
Yes, sorry, I didn’t cut & paste the whole thing. I have the following (abbreviated here) as the 2nd line before the Cache Control one:
-H ‘Authorization: Basic MG9hbH…VdAo=’
Hi @joe.mcmahon
Would it be possible to send us an email to developers@okta.com in order to have this further investigated internally?
You’ll also need to add offline_access scope in addition to openid for the password flow
Hi, I am having the same issue. Was this resolved ?
@micah.silverman, how do you “add offline_access scope” ? is scope comma separated ? I tried that and it did not solve the issue.
Thanks
Hi @daveh
Can you please use a different base64 encoder in order to encode the client id and client secret in the authorization header?
scopes are space separated and url encoded. So, you’d use a plus sign (+):
scope=openid+offline_access
Also, you need to use a custom authorization server, as opposed to the org level authorization server.
So, the token endpoint would be something like:
https://micah.okta.com/oauth2/aus2yrcz7aMrmDAKZ1t7/v1/token
not
Hi @dragos, When I switched to python rather than linux command line, it worked. There was 1 character different in the encoded string. No idea why…
Thanks !
Awesome, Thanks for your help.
I’ll just leave a note here, this happened to me but only when using Docker and the okta secret was wrapped with single quotes. While this worked just fine on bare metal server, somehow the value passed to Docker (also running on the railway.app platform) contained invalid characters ’