Client Authentication error

[scott-david-walker]

I keep getting a client authentication error. It redirects me to the callback url but the json response contains:

Client authentication failed. Either the client or the client credentials are invalid.

I know my client credentials are correct as I've used these with postman and can authenticate that way.

This is the error from the console but if you click the dev-9775725.Okta.com link then you get:

{"errorCode":"E0000022","errorSummary":"The endpoint does not support the provided HTTP method","errorLink":"E0000022","errorId":"oaexQfz4WjUTQ-ymxwkkgKiDg","errorCauses":[]}

Can anybody point me in a direction to search in? I'm new to Okta and this has stumped me.

[swiftone]

Hi @scott-david-walker, thanks for the report.

Have you set the ISSUER and CLIENT_ID correctly for the code? For this sample code, these are set either as environment variables or using a file named testenv as described in the README.

if you click the dev-9775725.Okta.com link

What you are seeing here is that when the browser navigates to the url it is sending a request using the "GET" http method. When you are using postman, you can see the method actually used (likely POST), so that explains the error message you get when you follow the link via clicking: "The endpoint does not support the provided HTTP method", so that is unrelated to the problem you are describing.

[scott-david-walker]

I found the issue, it's because I used the wrong app type. I chose the dotnet setup and it needed the Client SPA. I was under the impression it didn't matter. My mistake

[swiftone]

Thanks for letting us know! We are looking at how to make the importance more obvious - the "type" of the application decides a lot of details about what data is required for authentication, and how that flow is done.

[scott-david-walker]

For me, I expected them to work together. I have a login page that gives me a token that I can then pass to some web api. So whether I used an SPA setup or Web Api setup should be irrelevant. But maybe that's me being naive :-)

[swiftone]

Your desire is completely reasonable - but the question is less about what your application USING the token is, and more about how you GET the token. A "web" authentication happens from the backend and the responses and storage of any temporary (or lasting) values are considered to be secure from prying eyes (assuming HTTPS). A "spa" authentication happens in the frontend, where everything is visible to the browser and any security issues the browser brings along. (and "mobile" lives in a strange realm that has a little of both).

Once you've gotten the token you can absolutely have a spa pass it to the backend for use (for example) - that's unrelated to how you get the token though. We just need to find a way to make these distinctions and why they are important more clear.