Requests Using Authorization Header Fail with "The Given Client Credentials Were Not Valid" Error Message, Using Customized Client ID and Client Secrets.

Document ID : KB000008633
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The Authorization header can be used in requests consuming the OAuth Toolkit ("OTK"), but may fail at times if the Client ID and Client Secret have been customized, displaying the following error message: The given client credentials were not valid.

Environment:
CA API Gateway with OTK, where the Client ID and Client Secret values are customized from the default 32-character UUIDs, amounting to a combined character count over 64.
Cause:

There is a current limitation (as of the last modified date on this KB article - latest version of OTK at this time is 4.1) in the OTK which causes the service to reject requests with an Authorization header larger than 128 characters. This limitation is rarely reached, but it can happen if the Client ID and Client Secret are over 64 characters combined, as it will usually amount to an Authorization header over 128 characters after being Base64 encoded.

Resolution:

When this limitation is reached, the only way around it is to modify the Client ID and Client Secret to have a combined character count under 64, which should keep the Authorization header under 128 characters after being Base64 encoded.

The general recommendation is to simply leave the values the OTK assigns to the client to ensure everything is unique and stays away from any limitations.

Additional Information:
  • This limitation and related feature request to improve the handling of this behaviour is referenced as DE320031 & US411446 by CA Technologies.
  • There is a feature request / idea filed in the CA API Management Community for removing the character count limitation found in the OTK which can be voted and commented on.