I am trying to integrate my spring boot rest API swagger/OpenAPI documentation client with the GLUU server. I am doing this so I can authenticate to test my API's in swagger directly. I am utilizing oauth2/authentication_code flow. I am able to configure my swagger-ui client with the correct openid-configuration, and it parses the flow types correctly. When I try to execute the client to log in, I enter the clientId/secret, which then prompts me to log in with a username/password from the GLUU server. It calls the https://{hostname}/oxauth/restv1/authorize?response_type=code&client_id={myclientid}&redirect_uri={myredirecturi}&scope={myscopes}&state={state} Then it calls: https://{hostname}/oxauth/restv1/token But then I get the below error: Auth ErrorError: Unauthorized, error: invalid_client, description: Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client. The clientId is correct, and is has authentication_code as an allowable flow. I am not sure where to go from here as I feel like I set up everything correctly. Here is a snipptet of the oxauth.log: What is weird is I don't see any errors, I only see successfully authenticated both user and client. 020-12-31 06:29:50,688 INFO [qtp804611486-529857] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:262) - Authentication success for Client: 'XXXXX' 2020-12-31 06:29:55,914 INFO [qtp804611486-527359] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:533) - Attempting to redirect user: SessionUser: SessionState {dn='oxAuthSessionId=8f791470-c23b-4bb2-9970-eaba64a30900,ou=session,o=@1!0001!E244.3817,o=gluu', id='8f791470-c23b-4bb2-9970-eaba64a30900', lastUsedAt=Thu Dec 31 06:29:55 UTC 2020, userDn='inum=@!50B9.2EAB.8BC7.EAC1!0001!E244.3817!0000!E2B2.58A4.F5A3.DA4B,ou=people,o=@!50B9.2EAB.8BC7.EAC1!0001!E244.3817,o=gluu', authenticationTime=Thu Dec 31 06:29:55 UTC 2020, state=authenticated, sessionState='cc9249d5cb9d3b87b6a900414dsaaa869c82b3d448e92f7fa033d.f49fee87-1087-4a52-84c7-54b261d59f26', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@75b1f6c0, involvedClients=null, sessionAttributes={auth_step=1, acr=auth_ldap_server, remote_ip=XXXX, 10.20.0.20, auth_external_attributes=null, opbs=947d9032-ddfa-474b-ac38-e0833cceda99, auth_user=example@example.com, scope=openid email, response_type=code, redirect_uri=http://localhost:8090/api/v1/swagger-ui/oauth2-redirect.html, state=VGh1IERlYyAzMSAyMDIwIDAxOjI5OjA2IEdNVC0wNTAwIChFYXN0ZXJuIFN0YW5kYXJkIFRpbWUp, client_id=XXXX}, persisted=true} 2020-12-31 06:29:55,916 INFO [qtp804611486-527359] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:541) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@602347ba 2020-12-31 06:29:55,916 INFO [qtp804611486-527359] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:409) - Authentication success for User: 'example@example.com' Here is a dump header/request and response dump of the last call that returns this message: Request URL: https://<server>/oxauth/restv1/token Request Method: POST Status Code: 401 Unauthorized Remote Address: 123.123.1234:443 Referrer Policy: strict-origin-when-cross-origin Response Headers: Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: http://localhost:8090 Access-Control-Expose-Headers: Origin,Accept,X-Requested-With,Access-Control-Request-Method,Access-Control-Allow-Origin,Access-Control-Request-Headers,Content-Type Connection: close Content-Length: 586 Content-Type: application/json;charset=iso-8859-1 Date: Thu, 31 Dec 2020 17:52:58 GMT Server: Jetty(9.4.12.v20180830) Strict-Transport-Security: max-age=31536000; includeSubDomains WWW-Authenticate: Basic realm="oxAuth" X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Request Headers: Accept: application/json, text/plain, */* Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive Content-Length: 232 Content-Type: application/x-www-form-urlencoded Host: qa-sso.kdaenterprises.com Origin: http://localhost:8090 Referer: http://localhost:8090/ sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87" sec-ch-ua-mobile: ?0 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 X-Requested-With: XMLHttpRequest Form data: grant_type: authorization_code client_id: myclientid client_secret: mysecred redirect_uri: http://localhost:8090/api/v1/swagger-ui/oauth2-redirect.html