OAuth source with Okta is broken since upgrade to 2025.2.0

[johnmarcou]

Describe the bug
I have an OAuth Source with Okta which is functional in 2024.12.3.
Since I upgraded to 2025.2.0 (and then 2025.2.1), I am receiving an error when logging using Okta.

To Reproduce

• Deploy Authentik from 2024.12.3
• Configure an Oauth source with Okta
• Test it and make sure you can log in via Okta
• Upgrade to 2025.2.0 or 2025.2.1
• Check if you can still log in via Okta

Expected behavior
The login should still work after the upgrade.

Screenshots
A notification on the User UI: Authentication failed: Could not retrieve token.

Logs
Container logs:

{
  "auth_via": "unauthenticated",
  "domain_url": "auth.company.org",
  "event": "Unable to fetch access token",
  "exc": "HTTPError('401 Client Error: Unauthorized for url: https://company.okta.com/oauth2/v1/token')",
  "host": "auth.company.org",
  "level": "warning",
  "logger": "authentik.sources.oauth.clients.oauth2",
  "pid": 44,
  "request_id": "28a3370dcd95488f966c39de93094545",
  "response": "401 Client Error: Unauthorized for url: https://company.okta.com/oauth2/v1/token",
  "schema_name": "public",
  "timestamp": "2025-02-27T01:48:49.651530"
}

Okta logs:

Time	Actor	Event Info	Targets Show More
Feb 27 11:20:09 unknown client (PublicClientApp) 44.XXX.XX.XX OIDC token request FAILURE: multiple_client_credentials Authorization Code  (code)

Version and Deployment (please complete the following information):

• authentik version: [2025.2.0, 2025.2.1]
• Deployment: [helm]

Additional context
Note that other sources - Github, Discord - are still functional.

Searched about multiple_client_credentials , and I am suspecting it's caused by this change #12713, given:

It is likely that the client library is passing client credentials in both the headers and post body of the API call. Okta does not allow this, while some other providers may be more lax in this requirement. You can pass the credentials in one of these but not both.

Source: https://devforum.okta.com/t/oidc-token-request-results-in-failure-multiple-client-credentials/207/2

[SkipTam]

I have a similar issue with Kasm Workspaces. Login is not possible with "Internal error" in UI.
Logs say Warning: Scope has changed from "openid email profile" to "profile email openid".
Going back to 2024.12.3 fixed it.

[rissson]

Heya @johnmarcou @SkipTam, we are planning to make some more changes on this in #14034 (see the list of linked issues for context). Would you be able to try out the images mentioned in #14035 (comment) (this is a different PR to have images based of 2025.2.4) and see if the issue doesn't come back? As mentioned, those images are based off of version 2025.2.4, without any database migration, so you can switch back and forth between the two.