Unable to get a token on behalf of a user. "Client must be a Custom API Client with resource_server_id"

I am following the documentation here.

When I send the token request, I get the following response.

{
    "error": "invalid_request",
    "error_description": "Client must be a Custom API Client with resource_server_id"

}

I am not sure what this error means.

My request looks like this.

POST https://mydomain.com/oauth/token

{
    "client_id": "{clientId}",
    "client_secret": "{clientSecret}",
    "subject_token": "eyJ…", //Incoming bearer token
    "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
    "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "audience": "https://{target api identifier}"
  }

My client is registered as a Machine to Machine application. I have client_credentials enabled as a grant type, but I don’t see a way in the management portal to enable the token-exchange grant type.

Is there something else I need to do to on-behalf-of work?

Hi @dave.natalie

Welcome to the Auth0 Community!

I understand that you are configuring On-Behalf-Of Token Exchange and are encountering the " Client must be a Custom API Client with resource_server_id " error message.

The usual culprit in such cases would be the prerequisites of creating the Custom API client, creating the grant type and then configuring the On-Behalf-Of ( OBO ) Token Exchange before testing. I recommend double-checking these steps from the On-Behalf-Of Token Exchange documentation that you shared, as it can happen that changes are not saved or immediately reflected if testing right after setting everything up. In particular, ensure that you have made the Patch request to the /api/v2/clients/{clientId} endpoint with the following request body, in order to add the token exchange grant to your client’s grant_types array:

curl --location --request PATCH 'https://{yourDomain}/api/v2/clients/{clientId}' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN' \
  --data '{
    "token_exchange": {
      "allow_any_profile_of_type": ["on_behalf_of_token_exchange"]
    }
  }'

In addition, the following details are worth to be noted as well:

  • please ensure the client_id and client_secret in your POST request belong to the Custom API Client that represents your backend API (the audience of the incoming subject_token ), not a separate M2M app;

  • Use the Auth0 Management API to PATCH that specific client and explicitly append urn:ietf:params:oauth:grant-type:token-exchange to its permitted grant_types

After making the Patch request, perform the OBO token exchange once more and let us know if you are still getting the same error message, or if anything changed.

Best regards,
Gerald