Getting Error: "invalid_grant": "The client's assurance requirements are not met."

Megha · November 30, 2022, 4:56am

Hey there, I’m trying to do Native SSO with Token Exchange grant type flow. But when I’m doing this, I’m getting the error in token endpoint for 2nd App. Here are the steps, I’m performing:

/authn api

curl --location --request POST '{okta_url}/api/v1/authn' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'User-Agent: Mozilla/5.0 ($systemInformation) $platform ($platformDetails) $extensions' \
--data-raw '{
  "username": "uname",
  "password": "password"
}'

/authorize api (& putting sessionToken value from step 1 response)

curl --location --request GET '{okta_url}/oauth2/default/v1/authorize?client_id={client_id_App1}&response_type=code&scope=openid device_sso offline_access&redirect_uri={redirect_uri_App1}&state=state-8600b31f-52d1-4dca-987c-386e3d8967e9&code_challenge_method=S256&code_challenge=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es&sessionToken={sessionToken_Step1}'

/token api for app1 (& code from step 2)

curl --location --request POST '{okta_url}/oauth2/default/v1/token' \
--header 'accept: application/json' \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id={client_id_App1}' \
--data-urlencode 'redirect_uri={redirect_uri_App1}' \
--data-urlencode 'code={code_Step2}' \
--data-urlencode 'code_verifier=M25iVXpKU3puUjFaYWg3T1NDTDQtcW1ROUY5YXlwalNoc0hhakxifmZHag'

/token api for app2 (& deviceSecret & idToken from step 3)

curl --location --request POST '{okta_url}/oauth2/default/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={client_id_App2}' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'actor_token={deviceSecret_Step3}' \
--data-urlencode 'actor_token_type=urn:x-oath:params:oauth:token-type:device-secret' \
--data-urlencode 'subject_token={idToken_Step3}' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
--data-urlencode 'scope=openid offline_access' \
--data-urlencode 'audience=api://default'

NOTE: If I carry out the first two steps in the browser rather than Postman, this works just fine. When I didn’t clear any cookies at first, it initially worked fine in Postman as well. However, I ended in failure when I tried deleting the cookies. I started getting the following error:

{
    "error": "invalid_grant",
    "error_description": "The client's assurance requirements are not met."
}

erik · December 2, 2022, 10:43pm

Hello,

By default assuming your Okta Org has not had a FF enabled if an /authorize call has both a sessionToken passed and a sessionCookie set in the browser (Postman) Okta will use the sessionCookie.

A couple of possible issues,

You tested with two different users. The first user had access to both app1 and app2 and it was that user that was being used for each test if there was an existing sessionCookie for them stored in the browser/Postman. Once the cookie was deleted in Postman then the /authorize call fell back to the sessionToken which now maybe tied to user2 who does not have access to app2.
Similar to the above the idToken being used does not match the user who did the /authorize call, or session if the new values were not updated each time.

I would need to test both scenarios to see which might potentially lead to this specific error. There could be other similar situations as well, potentially being caused by the sessionCookie value taking precedence over the sessionToken value in the /authorize call.

Let us know if checking either of the above resolves the issue. If not we can try to setup a repo.

Thank You,

abole · December 4, 2022, 10:38am

@Megha a few other things I’d check:

Is your test user allowed access in both access policies?
Does app 2 require MFA and app 1 doesn’t?
Ensure the device_sso scope is enabled in the access policy for app 1 (or Any scopes) are allowed
Do you have Token Exchange enabled in the access policy for the 2nd app?

Keen to know what it was!

Megha · December 5, 2022, 4:44am

Hi @erik , what do you mean by FF? Do you mean Feature Flag?

No, I have only tested it for a single user who is assigned to both applications.
I updated new values every time while I tested, the idToken matched. Only difference was it worked all good in postman, until I didn’t clear the cookies, As I indicated, if I make the first two calls in the browser and then try to make the remaining two calls from postman, everything works flawlessly.

Can you provide an explanation for this?

Megha · December 5, 2022, 4:50am

@abole thanks for replying. However, I’ve already verified these settings:

Yes access policies are allowed.
Both apps don’t require MFA, only password protection as of now.
Any scopes are enabled in access policies for both the apps.
Yes, Token Exchange is enabled for both the apps in the allowed grant types.

abole · December 5, 2022, 5:24am

Perhaps you’re logged in in the browser as a different user than the one you used in postman? E.g. logged in in the browser as your Okta admin account, not the test account?

sandeep_khurana · October 24, 2023, 6:33am

@Megha
Can you please update on the solution ?