Password grant type gives invalid client error

I am trying to get access token using password grant type with curl command:
curl --request POST
–url https://dev.okta.com/oauth2/v1/token
–header ‘accept: application/json’
–header ‘authorization: Basic …’
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=password&username=<>&password=<>&client_id=<>’

Running this i get below error:
{“errorCode”:“invalid_client”,“errorSummary”:“Invalid value for ‘client_id’ parameter.”,“errorLink”:“invalid_client”,“errorId”:“oaezpHU5UrjQ0CiT5uGPpfqeg”,“errorCauses”:[]}

Also do i need custom authorization server for this or org level authorization server works?

Hi @khandelw,

I just tried it with my client and it works fine.
Couple of things to note -

  1. You need a custom authorization server for this. The org authorization server is only to protect okta APIs or for SSO. Read this for more info - https://developer.okta.com/docs/concepts/auth-servers/#available-authorization-server-types

  2. I see that you’re passing client_id as part of the body. That is not needed.
    Here’s my example request

curl --request POST \
  --url https://myorg.okta.com/oauth2/default/v1/token \
  --header 'accept: application/json' \
  --header 'authorization: Basic MG9h...' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password&username=abc%40xyz.com&password=xxxxxx&scope=openid' 

Note that I’m using the custom authorization server token endpoint /oauth2/default/v1/token and not the org authorization server endpoint.

You can follow this guide as well - https://developer.okta.com/docs/guides/implement-password/setup-app/

Hope this helps.

@khandelw You actually do not need a custom authorization server to use resource owner password flow, but what @vijet said about the use case for the built-in org authorization server does still apply.

Secondly, how the client authentication is passed depends on the configuration for your Native app in Okta. If your application has a client secret generated for it, the sample curl @vijet supplied will work, where the authorization header is the Base64 encoded clientId:clientSecret.

However, if your application is configured for PKCE, a client secret will not exist and you will not be using an authorization header. Instead, you will pass in the client_id in the body of your request, as in this example:

 curl --location --request POST 'https://org.okta.com/oauth2/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=test.user' \
--data-urlencode 'password=p@ssw0rd' \
--data-urlencode 'scope=openid' \
--data-urlencode 'client_id={{clientId}}'

Make sure not to mix the two techniques and to only use the one that applies to your application.

1 Like