Overview
This article explains the cause of an invalid_client error that occurs when creating or configuring an application for Private Key JSON Web Token (JWT) Authentication. The error is displayed after sending a POST request to the /oauth/token endpoint to get an access token. The log for the failed exchange shows the following error description:
- log type: Failed Exchange (feccft)
- log description: Failed client authentication
- “client_authentication_error”: *"‘exp’ claim must specify a time that is no more than 5 minutes after ‘iat’: ****"
Applies To
- Private Key JWT
/oauth/tokenendpoint- Access Tokens
Cause
This error is caused by an invalid configuration of the client assertion JWT sent as part of the authentication request. The client assertion is a signed JWT that proves the identity of the client. For security, a maximum lifetime of five minutes is enforced for the client assertion.
The error occurs because the time difference between the expiration (exp) claim and the issued at (iat) claim in the submitted JWT exceeds the five-minute (300 seconds) maximum.
See Authenticate with Private Key JWT for more details.
Solution
To resolve this issue, correct the generation logic for the client assertion JWT to ensure its lifetime is within the five-minute window.
- When constructing the JWT payload, set the
expclaim’s value to a Unix timestamp that is no more than 300 seconds after theiatclaim’s value.
See the Private Key JWT Authentication example for an example of this code.
NOTE: The client assertion JWT is a one-time use token, and the shortest possible expiry time is recommended. The duration must be ‘5m’ or less.