Getting invalid_client when trying to get access token using token API

I am trying to setup api based authentication for my web application, i have followed the steps mentioned in below post:
https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curlPostman?language=en_US

I have successfully authenticated user and also got the authorization code but in the last step for token i am getting below error:
{
“error”: “invalid_client”,
“error_description”: “Client authentication failed. Either the client or the client credentials are invalid.”
}

Is it because the app i am trying to login is web application or is there something which is not right with my approach

If you are using a Web application within Okta, then the client auth is most likely set to Client Secret. Make sure you always use the correct client authentication when making your token request.

If you’re not sure what this looks like, you can see examples in our guide about Authorization Code flow here: Implement authorization by grant type | Okta Developer

1 Like

@andrea Thanks for response i was able to get the token after some amendments but when i am using the access token i am getting bad token. I compared the token which i get in browser and the one i generated in postman using jwt tool and it seems both have different signatures any idea how i can fix this as application does not seem to be recognizing the token.

Oh, like you have a resource server/API that you are sending the access tokens to as auth? What’s the issuer of the token for which you’re having issues validating the signature?

Yees we have default authorization server and also we have added Issuer i have used is same what is being passed in browser it is the my okta domain/oauth2/default/.well-known/openid-configuration but still both are different and the access token which i get from postman is not accepted in api call of the application which i have integrated.

Can you share the signature portion of the JWT that is failing to validate and the output of the /v1/keys endpoint for the same authorization server? Does the kid in the token signature not match one of the JWKs listed ad the /keys endpoint?

Actually in the browser we do not get the KID below are signature from both tokens:

Browser:

{“header”: {“alg”:“RS256”,“typ”:“JWT”}, “payload”: {“user”:{“_id”:“00u2nopw3mf64w8ip1d7”,“authMethod”:“oidc”,“authMethodDetails”:{“op”:“mmc-oidc-next”},“ip”:“136.226.233.91”,“isDesignerUser”:false,“sessionId”:“f915b17d-143e-4489-85d3-7e151ec7ca9d”,“refreshExp”:1706857648651,“_csrf”:“fS5JXUoTTomH0euolseEMpac”,“exp”:1706778448},“exp”:1706778448,“iat”:1706771248}}

Postman

{“header”: {“kid”:“lT-x0qzyjFrQt2CNtxWcuiEcNcQ41iUUKmmIsWq9-is”,“alg”:“RS256”}, “payload”: {“ver”:1,“jti”:“AT.YXaZfhCAcmYQHpU8PgnbaIdEmmyiRMK8VDUS9JFE37A”,“iss”:“https://devsso.maimocare.org”,“aud”:“https://devsso.maimocare.org",“sub”:"nimesh_pareek+HC@persistent.com”,“iat”:1706772109,“exp”:1706775709,“cid”:“0oaa27m1xBZLn5TKi1d6”,“uid”:“00u2nopw3mf64w8ip1d7”,“scp”:[“openid”],“auth_time”:1706771152}}

Who issued that first token? It doesn’t look like one created by an Okta Authorization Server.

Are you/your application generating a JWT yourself?