I need to pass the client_id along with the get token endpoint in my Okta SSO oauth2 setup

Questions
1

I changed the service provider code to pass this. But now I keep getting this error.
“Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.”

Also to add more context, the okta setup was working fine till I added the client_id. But I cannot remove the client_id because I have other Identity Providers also integrated and some of them require this.

How can I get around this?

1 Like
2

Hi @Sarah are you able to inspect (e.g. Chrome devtools > Network tab) the call going to your IdP to see if you’re sending multiple client_ids?

Could you share a bit more about your environment? its difficult to understand the flow and where the other IdPs play a part.

3

Yes sure. I can debug and see calls going through to the Idp. and this is what the request looks like.
{
headers: {
Authorization: ‘Basic {auth-token from the authorization endpoint}’,
‘Content-Type’: ‘application/x-www-form-urlencoded’
},
payload: ‘grant_type=authorization_code&code={authorization-code}&redirect_uri={service-provider’s url}&client_id={idp’s client id}’
}

I am using nodejs at the service provider end.

4

I wonder if its getting confused between the client in your Authorization header and the client_id in the URL? Are both of these for the the same app?

Auth code flow is a multi step process and this looks like step 2. What initiated step one and do you see an authorization code coming back?

The Okta API doc for the openid API is here if you want to check the expected parameters for a call. OpenID Connect & OAuth 2.0 API | Okta Developer

There’s a great overview video on Youtube from Nate Barbattini from Okta which breaks down the each call in a flows which I sometimes refer to.

1 Like
5

Never gets old! :smile: OAuth 2.0 and OpenID Connect (in plain English) - YouTube

1 Like
6

Have you been able to solve this issue?

We ran into the same error recently. Our app client has to send the same client_id and client_secret both in the header and in the body to be able to support other authorisation servers. Is there a way to circumvent the requirement to send the credentials only in one place?