/token endpoint is returning "invalid_client: No client credentials found"

ETA: Please ignore; this has been resolved.

I’m trying to implement the Authorization Code Flow to integrate a web app with Okta.

I have a button on my login page, which links to a URL like this:

https://my-okta-subdomain.okta.com/oauth2/default/v1/authorize?response_type=code&scope=openid&client_id=MY_APPLICATIONS_CLIENT_ID&redirect_uri=http%3A%2F%2Fmy-development-domain.com%2Fbackend%2Fimmersionactive%2Fsso%2Fcallback&state=MY_STATE_VAR

Clicking on that button takes the user to the Okta login form. Upon entering valid credentials, the user gets redirected to:

http://my-development-domain.com/backend/immersionactive/sso/oauth2callback?code=SOME_CODE&state=MY_STATE_VAR

My application takes the “code” from the URL, and tries to exchange it for a token. The request it makes looks like this:

POST https://my-okta-subdomain.okta.com/oauth2/default/v1/token

Headers:

Accept: application/json
Connection: close
Content-Length: 0
Content-Type: application/x-www-form-urlencoded

POST body:

grant_type=authorization_code&code=SOME_CODE&redirect_uri=http%3A%2F%2Fmy-development-domain.com%2Fbackend%2Fimmersionactive%2Fsso%2Foauth2callback&client_id=MY_APPLICATIONS_CLIENT_ID&client_secret=MY_APPLICATIONS_CLIENT_SECRET

The response I get back is:

{
    "error": "invalid_client",
    "error_description": "No client credentials found."
}

I’ve double-checked that MY_APPLICATIONS_CLIENT_ID and MY_APPLICATIONS_CLIENT_SECRET are correct.

Any suggestions?

Never mind – I removed all of the request headers, and now it’s working. (The PHP Quickstart says to include these headers – but other docs do not.)

1 Like