What is the meaning of this error: 'client authentication must only be provided using one mechanism'

Question

I'm hitting the following endpoint

https://<my company>.onelogin.com/oidc/token

and sometimes I get the following error response and I'm not sure what it means.

{"error":"invalid_request","error_description":"client authentication must only be provided using one mechanism"}

I am sending the following fields as params:

grant_type=authorization_code

code=redacted

redirect_uri=redacted

client_id=redacted

client_secret=redacted

Can anyone shed some light on why this endpoint fails intermittently?

Answer 1

We have figured out what has been causing this "one mechanism" problem. We emailed OneLogin tech support team and received the following response:

As you can see in our documentation the placement of "client_secret" is dependent on your Token Endpoint Authentication Method setting. API Reference

If the Authentication Method = POST then "client_secret" is in the body.

If the Authentication Method = Basic then the "client_secret" is encoded and placed in the Authorization header.

Your application is currently sending this value in both Authorization Header and POST body. In the past this would not have been an issue but with the tightening to spec it will cause a 400 error for your application.

They will soon update their documentation, but for now, please use this guide to get rid of the "one mechanism" error in your application.