The purpose of this article is to provide a solution for the following error returned by the /token endpoint when the client authentication method is set as none:
"errorCode": "invalid_client",
"errorSummary": "A client_id must be provided in the request.",
"errorLink": "invalid_client"
- /token request
- Single-Page Application (SPA)
- Self-Hosted Sign-In Widget
- Okta-Hosted Sign-In Widget
- Okta Identity Engine (OIE)
In an OIDC Single-Page Application (SPA), the client authentication method used in the /token request is specified as none; however, the /token endpoint requires client authentication.
SPAs and other JavaScript front-ends are public clients, which means they can’t maintain secret information for authorization (the SPA does not have a client secret).
In this scenario, when the application is making a /token request, the client_id must be included in the request body. Otherwise, the /token endpoint will return the aforementioned error.
The solution is to include the client_id associated with the SPA in the /token request.
Example request:
curl --location 'https://${OktaDomain}/oauth2/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type={authorization_code}' \
--data-urlencode 'client_id={client_id_value}' \
--data-urlencode 'redirect_uri={redirect_uri_value)' \
--data-urlencode 'code={authorization_code_value}' \
--data-urlencode 'code_verifier={code_verifier_value}'
