Okta Error Occurs When Requesting OpenID Scopes Using Client Credentials
Last Updated:
Overview
When using the client credentials grant, Okta generates an error stating that certain scopes cannot be requested. This occurs because OpenID Connect (OIDC) scopes are passed in the request to the /token endpoint, which is invalid for machine-to-machine authorization. Removing the OIDC scopes from the request or switching to an OIDC flow resolves the issue.
Cannot request 'openid' scopes using client credentials
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- OAuth 2.0
- Client Credentials Grant
- OpenID Connect (OIDC)
- OIDC scopes: openid, profile, email, phone
Cause
This error occurs because OIDC scopes, such as scope=openid, are passed in the request to the /token endpoint. OIDC scopes cannot be used when grant_type=client_credentials. The client credentials grant is an OAuth 2.0 flow that provides machine-to-machine authorization, meaning no end-user is involved.
Since the client credentials grant lacks an end-user concept, passing any OIDC-related scopes with this grant is invalid.
Solution
How is the Cannot request 'openid' scopes using client credentials Okta error resolved?
Review the application architecture and ensure the correct grant or flow is used for the specific use case by following these guidelines.
- Switch to an OIDC flow if an end-user is authenticated and more information about that user is needed, such as an email address.
- Remove the OIDC scopes from the request to the
/tokenendpoint if information about an end-user is not needed because the application itself is authenticated. An example of this architecture is running a daily CRON job on the server that pulls data from an API.
