search cancel

Error: The request contains authorization header and client_id in SPS


Article ID: 254398


Updated On:


SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)



When running CA Access Gateway (SPS) as OIDC Provider, once the Postman client sends a request to SPS, the browser gets the error:

  {"error":"invalid_request","error_description":"The request contains authorization header and client_id \u0026 client_secret in body."}

  Error: The request contains authorization header and client_id & client_secret in body.




  CA Access Gateway (SPS) 12.8SP6 on Windows 2016;




At first glance, this is as expected if OIDC Client is configured with Application Type: Confidential and Authentication Type: Basic.

ClientID should be part of the Authorization Header for Confidential Applications and Basic Authentication. Authorization Header value is calculated using the Client's credentials:

  Authorization: Basic encoded(client_id:client_secret)

Thus, the client_id reaches the token Endpoint as part of the Authorization Header value in the body.

Configure the Authentication Scheme with one different from Basic or Windows.

Siteminder documentation reports similar behavior which is expected when the Authentication Scheme is Basic (1).




Configure the journey to use another Authentication Scheme different from the Basic or Windows Authentication Scheme.

Configure the OIDC Client Authentication Type as POST.


Additional Information



    Example Request and Responses

      Request 2: Token request format for a Confidential client application that uses Basic authentication type
      POST /affwebservices/CASSO/oidc/sample_client/token HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&

      Response 2: Invalid response
      400 Bad Request Cache-Control: no-storeContent-Type: application/json; charset=UTF-8Pragma: no-store    { "error": "invalid_grant","error_description": "Invalid authorization code"} 

      Error Codes and Messages

      | Scenario                  | Error Code      | Error Description       | HTTP Status Code |
    | Duplicate client          | invalid_request | The request body        | 400              |
      | credentials are sent with |                 | contains both           |                  |
      | both authorization        |                 | authorization header    |                  |
      | header, and client_id     |                 | and                     |                  |
      | and/or client_secret in   |                 | client_id/client_secret |                  |
      | POST body                 |                 |                         |                  |