When attempting to perform an OAuth 2.0 On-Behalf-Of Token Exchange (using the grant type urn:ietf:params:oauth:grant-type:token-exchange), the request to the /token endpoint fails. The following error is returned:

{ "error": "invalid_grant", "error_description": "subject token is invalid" }

• Okta Identity Engine (OIE)
• OAuth 2.0 / OpenID Connect (OIDC)
• Token Exchange Grant Type

This error occurs because the Okta Authorization Server cannot validate the subject_token. There are several common causes for this validation failure:

1. Expired token: The subject_token is expired. The expiration time is checked via the exp claim.
2. Invalid Audience: The aud (audience) claim in the subject_token is not the client_id of the application that is making the token exchange request. 
3. Issuer mismatch: The iss (issuer) of the token is for a different authorization server than the authorization server of the token endpoint being called.

First, inspect the subject_token (for example, using a tool like jwt.io) to confirm its claims are correct.

• Check exp claim: Ensure the token has not expired.
• Check aud claim: Verify that this claim exactly matches the Client ID of the application that is making the request to the token endpoint. 
• Check iss claim: Check that the authorization server in the issuer claim is the same authorization server that is used in the token call.