When attempting to obtain an access token using the OAuth 2.0 Client Credentials grant type against the Org Authorization Server, the request fails and returns the following error message:
Client Credentials requests to the Org Authorization Server must use the private_key_jwt token_endpoint_auth_method.
This is due to the increased security requirements of the Org Authorization Server.
- OAuth 2.0
- Org Authorization Server
- Client Credentials Grant Type
The Org Authorization Server enforces a higher security standard for machine-to-machine (M2M) authentication compared to custom authorization servers. It requires that applications using the Client Credentials grant type authenticate themselves using the Public Key / Private Key method (private_key_jwt). This method uses a signed JSON Web Token (JWT) for client authentication. This is more secure because the private key never leaves the application.
The error occurs because the OAuth 2.0 application in Okta is configured to use a different client authentication method, such as Client Secret, when making the token request.
To resolve this issue, the application's client authentication method must be updated to use a public/private key pair.
-
Log in to the Okta Admin Console as an administrator.
-
Navigate to Applications > Applications and select the target application.
-
On the application's profile page, select the General tab.
-
Scroll to the Client Authentication section and click Edit.
-
Select the Public key / Private key option.
-
Choose how to provide the public key:
-
Save keys in Okta: Paste the public key in JWK format into the text box.
-
Use a URL: Provide a URL that hosts the public key set in JWKS format.
-
-
Click Save.
After saving this configuration, the application must be updated to generate a signed client assertion JWT to use when calling the token endpoint, instead of sending the client_id and client_secret. The steps for generating this token are detailed in Build a JWT for Client Authentication.
