invalid_client error when requesting an OAuth 2.0 access token in AM (All versions)
The purpose of this article is to provide assistance if you receive an "invalid_client" error when requesting an OAuth 2.0 access token in AM. This error happens when the Token Endpoint Authentication Method is set to client_secret_basic (which is the default method) and the resource owner password credentials grant type is either password or client_credentials.
3 readers recommend this article
Symptoms
One of the following errors is shown when requesting an OAuth 2.0 access token with the Token Endpoint Authentication Method set to client_secret_basic, and the grant_type set to password or client_credentials. For example:
- grant_type=password and scope=openid%20profile: $ curl -X POST -d "client_id=myClientID&client_secret=password&grant_type=password&username=jdoe&password=changeit&scope=openid%20profile" https://am.example.com:8443/am/oauth2/access_token {"error":"invalid_client","error_description":"Invalid authentication method for accessing this endpoint."}
- grant_type=client_credentials: $ curl -X POST -d "grant_type=client_credentials&client_id=myClientID&client_secret=password" https://am.example.com:8443/am/oauth2/access_token {"error":"invalid_client","error_description":"Client authentication failed"}
Causes
The wrong authentication method is being used for requests that have the resource owner password credentials grant type and the openid scope or a grant type of client_credentials.
This issue is only seen when using the openid scope, as this is an OIDC concept. Per the OpenID standard, the client authentication method can be defined in the configuration of the OAuth2 provider (in this case AM). If no method is selected, the client_secret_basic method is used by default, which is not affected by this issue. See OpenID Connect Core 1.0 Specification - Client Authentication for further details.
Solution
This issue can be resolved by setting the Token Endpoint Authentication Method to client_secret_post.
You can set the Token Endpoint Authentication Method using either the AM admin UI or ssoadm:
- AM admin UI: navigate to Realms > [Realm Name] > Applications > OAuth 2.0 > [Client ID] > Advanced > Token Endpoint Authentication Method and select the client_secret_post option.
- ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [clientname] -u [adminID] -f [passwordfile] -a com.forgerock.openam.oauth2provider.tokenEndPointAuthMethod=client_secret_postreplacing [realmname], [clientname], [adminID] and [passwordfile] with appropriate values.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A