Hi everyone,
I’m trying to obtain a client_credentials token via my custom Authorization Server using the “Public Key / Private Key” approach. I’ve configured my application in Okta with the corresponding public key.
Here is my curl command:
curl --location 'https://<okta_url>/oauth2/<custom_authorization_id>/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_assertion=<MY_SIGNED_JWT>' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'scope=okta.users.read'
Unfortunately, I’m getting this response:
{
"errorCode": "invalid_client",
"errorSummary": "Invalid value for 'client_id' parameter.",
"errorLink": "invalid_client",
"errorId": "oaepTxxcoTnQ0if_ThJnFNf4w",
"errorCauses": []
}
Here’s the JWT payload I’m using:
{
"iss": "<client_id>",
"sub": "<client_id>",
"aud": "https://<okta_url>/oauth2/<custom_authorization_id>/v1/token",
"exp": 1736182936
}
And here’s the header, including the kid:
{
"alg": "RS256",
"kid": "hVXXXXXXXXXXXXXXXXXXXXXXXX"
}
I’ve confirmed that the kid matches the public key configured in my Okta app, and the aud matches the exact token endpoint URL for my custom Authorization Server. I also tried explicitly adding client_id in the POST data, but the issue persists.
Could someone please help me figure out why I keep receiving this “invalid_client” error? Are there any additional settings or parameters required for a JWT-based client_credentials flow with a custom Authorization Server? Any guidance would be greatly appreciated.
Thanks in advance!