Okta /token endpoint does not follow OAuth2 standard for invalid client_id

GoldenCave · April 10, 2023, 4:45pm

Hi there,

When I supply an invalid client id (one that doesn’t exist) to the /token endpoint with the “client_credentials” grant type, I get a 400 response, but the JSON payload does not use the OAuth2 snake_case response. Instead it is the Okta camelCase response:

{
    "errorCode": "invalid_client",
    "errorSummary": "Invalid value for 'client_id' parameter.",
    "errorLink": "invalid_client",
    "errorId": "oaeAzmar7W-RBO7bTiWZ--fmQ",
    "errorCauses": []
}

I was expecting something along the lines of this error, which is returned by Okta when you have a valid client but invalid credentials:

{
    "error": "invalid_client",
    "error_description": "The client secret supplied for a confidential client is invalid."
}

Should I code these different response bodies into my app? I wonder if this is not compliant with the OAuth2 standard (RFC 6749: The OAuth 2.0 Authorization Framework).

Thank you.

andrea · April 10, 2023, 5:09pm

I don’t think 4.1.2.1 would cover this scenario, as that seems to relate only the Authorization Request. However, you mention this is from making a /token request for Client Credentials flow, which should put it under 4.1.4 which is about the Access Token response and links to section 5.2 to cover error responses, including the invalid_client error you’re seeing

GoldenCave · April 10, 2023, 5:46pm

Thank you andrea! I agree, you are correct!
So if I am reading correctly, following that document (section 5.2, the response should be 400 with a response body like the following:

{
    "error": "invalid_client",
    "error_description": "The client id is unknown"
}

where “error_description” has a value that I came up with above (not specified in document))
Is that right, or maybe I am missing something?
Thank you.