oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon zitadel

[Bug]: Okta Device Authorization Failure due to Empty Assertion Fields

Open jonyoder opened this issue 8 months ago • 0 comments

Preflight Checklist

  • [x] I could not find a solution in the documentation, the existing issues or discussions
  • [x] I have joined the ZITADEL chat

Version

3.38.1

Describe the problem caused by this bug

I'm attempting to use device authorization against Okta, which results in an error from the DeviceAuthorization method:

ErrorType=invalid_request Description=The client_assertion_type is invalid.

I have chatted with Rajat on the Discord channel about this issue, and decided to open a PR, which I will link to this issue soon.

To reproduce

You can reproduce this behavior with curl:

  1. Start with an Okta test application:

    export ISSUER=https://<okta-url>.oktapreview.com/oauth2/default

  2. As documented by Okta, this request works:

    curl --request POST \
  --url $ISSUER/v1/device/authorize \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=<redacted>' \
  --data-urlencode 'scope=openid profile offline_access'

{"device_code":"e9694547-72d4-420c-9e02-4dca650d4176","user_code":"XTDKFLXF","verification_uri":"https://<url>.oktapreview.com/activate","verification_uri_complete":"https://<url>.oktapreview.com/activate?user_code=XTDKFLXF","expires_in":600,"interval":5}

  3. But if you add the client assertion fields, it fails:

    curl --request POST \
  --url $ISSUER/v1/device/authorize \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=0oa2e0pp4hsQlHugh0h8' \
  --data-urlencode 'scope=openid profile offline_access' \
  --data-urlencode 'client_assertion_type=' \
  --data-urlencode 'client_assertion='

{"error":"invalid_request","error_description":"The client_assertion_type is invalid."}

Screenshots

No response

Expected behavior

As a user of the zitadel/oidc library, I want the device authorization API calls to omit the client assertion fields when empty to avoid conflicts with Okta.

Additional Context

I found a workaround: this appears to be due to the client_assertion fields being included in the request even when empty. If I modify the fields in https://github.com/zitadel/oidc/blob/main/pkg/oidc/token_request.go#L243-L244 to include the omitempty attribute, device authorization against Okta works.

jonyoder avatar May 07 '25 13:05 jonyoder