Token Exchange Grant Type is Missing from the OAuth2.0 Metadata URL
Last Updated:
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview
This article provide an explanation regarding why the token-exchange grant type is missing from the OAuth2.0 Metadata URL.
Applies To
- Okta Classic Engine
- Okta Identity Engine (OIE)
- OAuth 2.0 On-Behalf-Of Token Exchange
Cause
The JSON response of the OAuth2.0 Metadata URL will not contain the token-exchange grant type by default.
NOTE: The "grant_types_supported" array will not include: "urn:ietf:params:oauth:grant-type:token-exchange".
Solution
NOTE: The token-exchange grant type (and functionality) is only applicable while using a Custom Authorization Server.
Additional details:
- The client_id of a Native OIDC application type or an OAuth2.0 Service application (with the grant type enabled) must be appended to the metadata URL.
- If the token exchange grant type is enabled, then the following value will be included in the "grant_types_supported" array: "urn:ietf:params:oauth:grant-type:token-exchange".
- Ensure that the "token-exchange" grant type is enabled in the application's settings.
- Append the client_id of the OIDC application as a query parameter at the end of the Metadata URL.
Example:
curl -i -X GET \
'https://{oktadomainName}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server?client_id=string'
Related References
- Retrieve the OAuth 2.0 metadata
- OAuth 2.0 On-Behalf-Of Token Exchange
- Create OpenID Connect app integrations
