I have created app using steps mentioned at :
App is created successfully but app doesn’t have client secret when I check that on okta dashboard.
Now I followed the steps mentioned at https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/get-access-token/
it fails with following error:
Error:
{
“error”: “invalid_client”,
“error_description”: “The issuer and subject claim for client_assertion is invalid because the client does not have a client secret.”
}
Take a look at the “alg” claim in the header of the client_assertion jwt that you are passing to the /token endpoint. I suspect that you are probably using a HMAC signing algorithm (HS*), rather than a private-key based algorithm like RS256.
Those are the signing keys that you intend to use to sign your client_assertion token. You need to look at the actual token being provided in the token request being made to Okta.
When I am making following request for gettoken, i am getting error: [The issuer and subject claim for client_assertion is invalid because the client does not have a client secret]
curl -X POST "https://{yourOktaDomain}/oauth2/v1/token"
-H "Accept: application/json"
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=client_credentials \
&scope=okta.users.read \
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
&client_assertion=eyJhbGciOiJSUzI1…..feCJfSqsJeEKGjJqp1accnXpPbCSi1-2UQ"
Could you please email to developers@okta.com with the details so that one of our Engineers can help you with further troubleshooting ?
I understand one of the engineers would respond via email but it would be great if you could post the issue & resolution in this thread. It will be helpful for others when they face similar issues