Private_key_jwt token

Hi,

Im trying to access okta api (okta.groups.read scope).
Unfortunately I’m getting this error:

The issuer and subject claim for client_assertion is invalid because the client does not have a client secret.

The thing is that okta api’s client application do not have ClientSecret. Fail to understand what I’m doing wrong.

This is my code (using IdentityModel)

var disco = await GetDiscoveryDocument();
        var httpClient = new HttpClient
        {
            BaseAddress = new Uri(disco.TokenEndpoint)
        };
        var jwt = CreateJwt();
        using var tokenRequest = new ClientCredentialsTokenRequest
        {
            Address = disco.TokenEndpoint,
            GrantType = IdentityModel.OidcConstants.GrantTypes.ClientCredentials,
            ClientId = ClientId,
            Scope = "okta.groups.read",
        };
        tokenRequest.Parameters["client_assertion_type"] = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
        tokenRequest.Parameters["client_assertion"] = jwt;

        var tokenResponse = await httpClient.RequestClientCredentialsTokenAsync(tokenRequest);
        if (tokenResponse.IsError)
            throw new System.NotImplementedException(tokenResponse.ErrorDescription);

private string CreateJwt()
{
var subject = new ClaimsIdentity(new[] { new Claim(“sub”, ClientId) });
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(“Private-Key”));
var signingCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);

        var expiration = DateTime.Now.AddSeconds(10 * 60);
        var tokenHandler = new JwtSecurityTokenHandler();
        var jwtSecurityToken = tokenHandler.CreateJwtSecurityToken(
            audience: Authority,
            expires: expiration,
            issuer: ClientId,
            subject: subject,
            signingCredentials: signingCredentials);
        return tokenHandler.WriteToken(jwtSecurityToken);
    }

Is there full step-by-step example of using okta api (preferably C#)
Thank you

1 Like