Okta Native2WebSSO Implementation Fails With an "Token Exchange requests must include a valid audience of the authorization server." Error
Last Updated:
Overview
When implementing the Native to Web SSO (Native2WebSSO) flow, a user receives an invalid_target error when making a POST request to the /oauth2/v1/token endpoint using the Token Exchange grant type. This occurs because the audience parameter in the token exchange request is either absent or incorrectly formatted. Including the audience parameter constructed with the specific URN format resolves the issue. When this failure occurs, Okta generates the following error response:
{
"error": "invalid_target",
"error_description": "Token Exchange requests must include a valid audience of the authorization server."
}
Applies To
- Okta Identity Engine (OIE)
- Native to Web SSO (Native2WebSSO)
- Web Application
Cause
The audience parameter in the token exchange request is either absent or not formatted in the URN format that Okta expects for the Native2WebSSO flow. Okta requires the audience to explicitly reference the target Web Application using a specific urn:okta:apps: prefix.
Solution
How is the invalid target error resolved in a Native2WebSSO token exchange flow?
Resolve the invalid_target error by passing the audience parameter in the correct URN format, using the Client ID of the target Web Application.
- In the Okta Admin Console, go to Applications > Applications and open the target Web Application.
- On the General tab, copy the Client ID.
- In the token exchange request to
/oauth2/v1/token, include the audience parameter constructed asurn:okta:apps:<Client_ID>.
