The purpose of this article is to provide a solution for the following error returned by the /token endpoint when the client authentication method is set as "none":
"errorCode": "invalid_client",
"errorSummary": "A client_id must be provided in the request.",
"errorLink": "invalid_client"
- /token request
- Single-Page Application (SPA)
- Self-hosted sign-in widget
- Okta-hosted sign-in widget
In an OIDC Single-Page Application (SPA), the client authentication method used in the /token request is specified as "none"; however, the /token endpoint requires client authentication.
The SPA is a public client, so it does not have a client secret. In this scenario, when the application is making a /token request, the client_id must be included in the request body. Otherwise, the /token endpoint will return the aforementioned error.
The solution is to include the client_id associated with the SPA in the /token request.
Example request:
curl --location 'https://${OktaDomain}/oauth2/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type={authorization_code}' \
--data-urlencode 'client_id={client_id_value}' \
--data-urlencode 'redirect_uri={redirect_uri_value)' \
--data-urlencode 'code={authorization_code_value}' \
--data-urlencode 'code_verifier={code_verifier_value}'
