Okta access token using token endpoint url returns http 401 error

I am new to OKTA.
Using the below code to get the access token… but getting 401 unauthorized error in this line

inputBuff = new BufferedReader(new

String oktaURL = "https://xxx.oktapreview.com/oauth2/default/v1/token";
			URL url1 = new URL(oktaURL);
			StringBuffer response = null;
			String output1;

			log.info("The url to get the access token:"+url1.toString());
			if (url1.getProtocol() != null && url1.getProtocol().startsWith("https")){
				//String encodedData = DatatypeConverter.printBase64Binary((clientId + ":" + clientSecret).getBytes("UTF-8"));
				//String authorizationHeaderString = "Authorization: Basic " + encodedData;
				httpsClient = (HttpsURLConnection) url1.openConnection();
				httpsClient.setRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString((clientId + ":" + clientSecret).getBytes()));
				log.info ("Send the POST request");
				// Send post request
				try (DataOutputStream opStream = new DataOutputStream(httpsClient.getOutputStream())) {    					
				inputBuff = new BufferedReader(new InputStreamReader(httpsClient.getInputStream())); // throwing 401 here.
				log.info("Read from the input stream");

				response = new StringBuffer();
				while ((output1 = inputBuff.readLine()) != null) {

			if (response != null) {
				String theString = response.toString();

I could navigate to OKTA server’s login page via /authorize URL and then authentication is successful and coming back to my application. Now trying to get access token. Please help how to solve this in java.

Where is your urlParameters defined? The error is likely because one or more parameters are missing.

just right above oktaURL

String urlParameters = "client_id=" + clientId+"grant_type=authorization_code&redirect_uri="+"http://<host>:8192/app"+"&code="+oktaCode;

I just checked the okta log, it says the below right above the authenticate success log.


Got it, the oktaUrl looks like the first line I can see in the paste.

The error is accurate, you can only send the client id and secret in either the post body or the HTTP header, so you’ll either need to remove the client_id and client_secret from the post body parameters or remove the Authorization header.

Also you’ll want to properly form-encode the post body parameters. I’d recommend using an HTTP client that has that built in rather than building the post body by hand.

1 Like

I tried removing client_id in either urlParameters or Autherization header; both returns 400 error.
But i could see the below in the okta server log [instead of unknown client, its displaying app name [okta server) with mismatched_authorization_server]

I also tried passing in the secret key in the parameter with client id and got 400 error.

Note:- My authorize endpoint and i got okta code and state.

Also can you give any reference URL/sample code for built in HttpClient.

UPDATE: Fixed the issue; getting the access_token. Needed to either remove default from /token endpoint or add default in /authorize endpoint.

Thanks for all your inputs!!!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.