I am creating Okta connection in google cloud platform application integration, I had created my account on okta and create two web applications in OIDC, one with authorization code and refresh token got ClientID, Secret, and set redirection Uri to https://console.cloud.google.com/connectors/oauth and second with both client credentials and authorization code got the ClientID, Public/Private key and set the redirect URL. In the meantime, created a connection on integration connector gcp and provide the required detail, which is domain, ClientID, secret and auth URL which is https://{mydoman}/oauth2/v1/authorize and when authorizing this it goes this URL and get a code in to it and when comes back to connector page I am getting this error
Status Error failed to exchange auth code: Cause: {“error”:{“code”:400,“message”:“Unknown parameter name found in the request: Scope”,“status”:“INVALID_ARGUMENT”}}:- internal
and when using client credentials i am getting 401 authorization failed, failed to get a token even providing every thing valid.
can anyone assisst in this regard? Thanks in advance.
Is that error being thrown on the Okta side, or the Google side and what is the URL for that failure (is it the /authorize endpoint, or the redirect_uri)?
Thanks for the reply. The error’s I am seeing is on GCP for both grant types I think redirection or authorization worked perfectly here is the detail when I click to authroize it went on this url
https://{mydomain}/oauth2/v1/authorize?state=A3Aop0FwUgKm1HPneBBvVg%3Ahttps%3A%2F%2Fconsole.cloud.google.com&response_type=code&client_id={myclientID}&scope=openid%20profile%20email&redirect_uri=https%3A%2F%2Fconsole.cloud.google.com%2Fconnectors%2Foauth
and get the code and this is the URL that comes after it.
Hmm, well those requests at least make sense, and it looks like the /authorize call worked perfectly and Okta managed to return an [authorization] code to the redirect_uri. And it at least looks like the thing thats failing is when GCP sends that authorization code back to the /token endpoint to receive tokens, but I don’t recognise the error that you’re seeing and haven’t been able to reproduce it by adding ‘Scope’ to a /token request.
Do you know if there is a way to see what exactly is being sent in the request thats failing?
thank you for the reply again. Basically, in GCP there is connector of Okta which I am using to make connection to use it in the integration or explore it. When I am going with the authentication Method as oauth2.0 authorization code it asks me these details ClientID, Scope, ClientSecret and the authorization URL. The error said Scope parameter is unknown, but I am not adding or sending this parameter name manually just giving it the values like openid, email, and profile.
I think there is something wrong with the connector because when I am selecting client credentials with JWT bearer as authentication method it only asks me for Private Key in place of ClientSecret and ClientID and Scope is same but did not ask for authorization URL for this method. There should be both client secret and private key as I can get both of it from okta.
Within Okta at least, an application will only have a single client authentication type, so it does make sense that they only ask for either a Client Secret or a Private Key. Is this GCP connector meant to be able to make API calls to Okta to read information about Users, Groups, or similar?
Out of curiosity, do you see any different behavior when using Private Key JWT auth instead of Client Secret?