Failed to Create an Okta OIDC Application Without Authorization Code Grant

SYMPTOM

Okta is configured as the OpenID Connect Dynamic Client Registration in Anypoint Platform for Client Management.
When creating a client in Exchange without "Authorization Code Grant" selected, it fails with error: "Client: Invalid OpenID Connect client creation request. OpenID provider responded with status code 400":



or

 

CAUSE

Anypoint Platform sends the following call to Okta, in case of only "implicit" is selected:

curl -X POST \
<CLIENT_REGISTRATION_URL> \
-H 'Authorization: SSWS <TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"client_name": "OKTA_CLIENT_WITHOUT_AUTHCODE",
"redirect_uris": [
"http://localhost"
],
"response_types": [
"token",
"id_token"
],
"grant_types": [
"implicit"
],
"token_endpoint_auth_method": "client_secret_basic"
}'

  and gets the response:

{"error":"invalid_client_metadata","error_description":"'grant_types' must contain 'authorization_code' when 'application_type' is 'web'."}

Okta's implementation of OpenID Connect Dynamic Client Registration deviates from Anypoint's in small but noticeable ways. In particular, clients with only the implicit grant type cannot be created with a by-the-letter implementation of the specification.

WORKAROUND

In addition to "Implicit Grant" or "Resource Owner Grant" or chosen grant type, please also select "Authorization Code Grant" as a grant type when creating a client in Okta with OIDC.

Refer to the MuleSoft documentation to understand the Supported Grant Types when Configuring OpenID Connect Client Management.

Additionally, consider not using the implicit grant type, as it has a very narrow set of useful applications as per the OKTA documentation. 

APPENDIX

When using OpenID Connect Dynamic Client Registration, one of the parameters that is specified by the standard is application_type. Two possible values are defined: Web, and native. Please see OpenID spec documentation.

application_type
OPTIONAL. Kind of the application. The default, if omitted, is web. The defined values are native or web.

For creating clients without the authorization_code grant type, Okta requires non-standard application types:

• browser for implicit
• service for client_credentials - Works with OAuth 2.0 flow (not OpenID Connect)

Please see Okta documentation to Register a Client Application for Dynamic Client Registration.

Disclaimer:

This article involves products and technologies which do not form part of the MuleSoft product set. Technical assistance for such products is limited to this article.