No username matches value 'client_id' of 'sub' claim

Questions OAuth/OIDC
1

Hello Team,

I have generated JWT token from the below python code.

token = jwt.encode({
‘jti’: str(uuid.uuid4()),
‘iat’: int(time.time()),
‘iss’: client_id,
‘sub’: client_id,
‘aud’: ‘https://dev-xyz.okta.com/oauth2/default/v1/token’,
“exp”: int(time.time()) + 3600,
#‘alg’: “RS256”
},
private_key,
algorithm=‘RS256’
)

And then generated token given below code.

headers = {
‘Content-Type’: ‘application/x-www-form-urlencoded’
}
private_key_jwt = create_private_key_jwt()
payload = f’grant_type=client_credentials&scope=testing&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={private_key_jwt}’
x = requests.post(‘https://dev-xyz.okta.com/oauth2/default/v1/token’, headers=headers, data=payload)

Finally I used this token in collibra and i got the exception “no username matches value ‘client_id’ of ‘sub’ claim”

Thanks,
Gobi

2

It looks like the error is related to the subject (sub) claim in the JWT token. The error message “no username matches value ‘client_id’ of ‘sub’ claim” indicates that the value of the ‘sub’ claim in the JWT token does not match any username in the system.

Here are a few things to check and adjust:

  1. Ensure ‘sub’ Claim Value:
  • The ‘sub’ claim typically represents the subject of the token, which is often a user identifier. In your case, you’ve set it to the client_id. If you are using this token to represent a client (rather than a user), you might want to set ‘sub’ to a more generic identifier.
  1. Check User or Client in Okta:
  • Ensure that the identifier used in the ‘sub’ claim (whether it’s client_id or another identifier) corresponds to a valid user or client in Okta.
  • If you’re using a client credential grant, Okta expects a client identifier as the subject.
  1. Verify Scopes and Permissions:
  • Make sure that the client represented by the ‘sub’ claim has the necessary scopes and permissions to perform the actions you are trying to execute in Collibra.
  1. Check Collibra Configuration:
  • Review how Collibra expects the JWT token to be structured and what claims it requires. Ensure that the token generated aligns with Collibra’s expectations.

Here’s an updated example with a more generic ‘sub’ claim:

token = jwt.encode({
    'jti': str(uuid.uuid4()),
    'iat': int(time.time()),
    'iss': client_id,
    'sub': 'some_unique_identifier',  # Adjust this to a unique identifier for the client or context
    'aud': 'https://dev-xyz.okta.com/oauth2/default/v1/token',
    'exp': int(time.time()) + 3600,
}, private_key, algorithm='RS256')

Remember to replace 'some_unique_identifier' with an appropriate value based on your use case. Additionally, ensure that this identifier exists in Okta and has the necessary permissions in Collibra.

3

Hello Tanishkumar,

Thanks for you explanation.

This method to generate token using grant_type

payload = f’grant_type=client_credentials&scope=testing&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={private_key_jwt}’

Is I need to change anything above line ?

token = jwt.encode({
‘jti’: str(uuid.uuid4()),
‘iat’: int(time.time()),
‘iss’: client_id,
‘sub’: ‘some_unique_identifier’, # Adjust this to a unique identifier for the client or context
‘aud’: ‘https://dev-xyz.okta.com/oauth2/default/v1/token’,
‘exp’: int(time.time()) + 3600,
}, private_key, algorithm=‘RS256’)

What is some_unique_identifier ?, because I used client id as unique identifier(xxxxxxxxx2nKEKOzi5d7)

I have attached the collibra configuration.

image
image1010×357 42.5 KB

Thanks,
Gobi

4

Are you trying to do OAuth for Okta?
If so, the sub claim also needs to be the client_id, as noted in our docs here: Implement OAuth for Okta with a service app | Okta Developer.
Also, if you are trying to get an Access Token to use against Okta’s APIs, make sure the audience is the Token endpoint for the Org Authorization Server, e.g. https://dev-xyz.okta.com/oauth2/v1/token (without the /default)