When an OAuth or OpenID Connect (OIDC) application is configured to use Public Key / Private Key for its Client Credentials configuration, a call to a protected endpoint for the application (for example, /token, /introspect, or any other OAuth endpoint that requires client auth) may return an error with a description that reads:
The audience claim for client_assertion must be the endpoint invoked for the request.
- OAuth/OIDC Applications
- Client Authentication
- Public Key / Private Key
The client_assertion is the JWT used to provide the client authentication. If this JWT does not contain an audience claim (aud) exactly equal to the absolute URL being called, it will return the aforementioned error.
The complete error message will look like this:
{
cause: {
error: 'invalid_client',
error_description: 'The audience claim for client_assertion must be the endpoint invoked for the request.'
},
code: 'OAUTH_RESPONSE_BODY_ERROR',
error: 'invalid_client',
status: 401,
error_description: 'The audience claim for client_assertion must be the endpoint invoked for the request.'
}
For example, if https://{{okta-domain}}/oauth2/default/v1/token is being called, then the JWT must contain an aud value exactly equal to that URL. A valid decoded token would look similar to this:
{
"aud": "https://{{okta-domain}}/oauth2/default/v1/token",
"sub": "0oakdtexeaxklfpc61d7",
"iss": "0oakdtexeaxklfpc61d7",
"iat": 1740614930,
"exp": 1740618530
}
Generate a client assertion JWT with an aud value equal to the endpoint being called, as outlined in JWT with private key.
