The issuer and subject claim for client_assertion is invalid because the client does not have a client secret

I have created app using steps mentioned at :

App is created successfully but app doesn’t have client secret when I check that on okta dashboard.

Now I followed the steps mentioned at https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/get-access-token/

it fails with following error:
Error:

{
“error”: “invalid_client”,
“error_description”: “The issuer and subject claim for client_assertion is invalid because the client does not have a client secret.”
}

Take a look at the “alg” claim in the header of the client_assertion jwt that you are passing to the /token endpoint. I suspect that you are probably using a HMAC signing algorithm (HS*), rather than a private-key based algorithm like RS256.

Here is screen shot for my test project

Those are the signing keys that you intend to use to sign your client_assertion token. You need to look at the actual token being provided in the token request being made to Okta.

When I am making following request for gettoken, i am getting error: [The issuer and subject claim for client_assertion is invalid because the client does not have a client secret]

curl -X POST "https://{yourOktaDomain}/oauth2/v1/token"
    -H "Accept: application/json"
    -H "Content-Type: application/x-www-form-urlencoded"
    -d "grant_type=client_credentials \
    &scope=okta.users.read \
    &client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
    &client_assertion=eyJhbGciOiJSUzI1…..feCJfSqsJeEKGjJqp1accnXpPbCSi1-2UQ"

Hi @fordevelopment2019,

Could you please email to developers@okta.com with the details so that one of our Engineers can help you with further troubleshooting ?

I understand one of the engineers would respond via email but it would be great if you could post the issue & resolution in this thread. It will be helpful for others when they face similar issues

Is there any update on this issue?, I’m facing exactly the same behaviour

Hello,
I recommend starting a new post so you can provide your details of the call you are making and the response you get back. One thing you might try is change the Curl command (if you are using it), because sometimes using ‘-d’ can get messed up for with spaces and line continuations ‘’.

If this might be the issue try reformatting to:

curl --location --request POST 'https://{DOMAIN}.okta.com/oauth2//v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'redirect_uri=http://whatever.u.have.setup' \
--data-urlencode 'scope=okta.users.read' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbG..HA'

Hi, Any update on this issue, I’m also having the same issue. My use case is, need to access users and groups using the client credentials.