{
“error”: “invalid_client”,
“error_description”: “The issuer and subject claim for client_assertion is invalid because the client does not have a client secret.”
}
Take a look at the “alg” claim in the header of the client_assertion jwt that you are passing to the /token endpoint. I suspect that you are probably using a HMAC signing algorithm (HS*), rather than a private-key based algorithm like RS256.
Those are the signing keys that you intend to use to sign your client_assertion token. You need to look at the actual token being provided in the token request being made to Okta.
When I am making following request for gettoken, i am getting error: [The issuer and subject claim for client_assertion is invalid because the client does not have a client secret]
I understand one of the engineers would respond via email but it would be great if you could post the issue & resolution in this thread. It will be helpful for others when they face similar issues
Hello,
I recommend starting a new post so you can provide your details of the call you are making and the response you get back. One thing you might try is change the Curl command (if you are using it), because sometimes using ‘-d’ can get messed up for with spaces and line continuations ‘’.