External Trigger Workflow Test Fails with bearer token clientID does not match OAuth client for workflow idn:external-http: not authorized

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I am trying to test an externally triggered SailPoint workflow and keep getting an authorization mismatch error, even though the external OAuth client and access token are generated successfully.

Workflow Setup:

  • Workflow uses EXTERNAL trigger
  • Trigger attribute is idn:external-http
  • Workflow reads values from $.trigger.*
  • Flow is:
    • get identity
    • define variables from trigger payload
    • send email
    • complete

What I Did:

  1. Disabled the workflow
  2. Generated the external OAuth client using the workflow external OAuth client API
  3. Got back the client ID, client secret, and callback URL
  4. Enabled the workflow again
  5. Generated an access token using /oauth/token with grant_type=client_credentials
  6. Called the external workflow /test endpoint with the bearer token

Result: Token generation works, but the test call fails with:

{
  "detailCode": "Internal Server Error",
  "messages": [
    {
      "text": "bearer token clientID does not match OAuth client for workflow idn:external-http: not authorized"
    }
  ]
}

What I Already Verified:

  • PAT scopes were updated
  • external OAuth client generation succeeds
  • token generation succeeds
  • JWT contains the expected client ID
  • Workflow is correctly configured for an external trigger
  • The same error happens in both Postman and PowerShell.

Detailed Step with Response:

Step 1: Generate external OAuth client Request:

  • POST /v2025/workflows//external/oauth-clients
  • Authorization: Bearer
  • Response:
{
  "id": "<workflow-oauth-client-id>",
  "secret": "<masked-client-secret>",
  "url": "/beta/workflows/execute/external/<workflow-id>"
}

Additional Question: I am creating the external OAuth client using the v2025 API, but the returned callback URL is still in /beta/ format.

  • Is it expected that the v2025 API returns a /beta/workflows/execute/external/… URL?
  • Should the external workflow test/execute calls still use the /beta/ path even when the OAuth client was created through v2025?

Step 2: Generate access token Request:

  • POST /oauth/token
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    • grant_type=client_credentials
    • client_id=
    • client_secret=
  • Response: 
    • {
  "access_token": "<masked-jwt-access-token>",
  "token_type": "bearer",
  "expires_in": 2147483646,
  "scope": "sp:workflow-execute:external sp:scopes:default",
  "accessType": "OFFLINE",
  "tenant_id": "<tenant-id>",
  "internal": false,
  "pod": "<pod>",
  "strong_auth_supported": false,
  "org": "<org>",
  "claims_supported": false,
  "strong_auth": true,
  "enabled": true,
  "jti": "<token-id>"
}

Step 3: Test external workflow Request:

  • POST /beta/workflows/execute/external//test
  • Authorization: Bearer
  • Content-Type: application/json
  • Response: 
    • {
  "detailCode": "Internal Server Error",
  "trackingId": "26c8f07118ca4becb9e0159742fb9245",
  "messages": [
    {
      "locale": "en-US",
      "localeOrigin": "DEFAULT",
      "text": "bearer token clientID does not match OAuth client for workflow idn:external-http: not authorized"
    }
  ]
}
2

Hi @shsakshi,

Have you checked if your generated access token, client id is matched with your workflow trigger client id ?

If it is lower environment (not production) you can view your access token details here https://jwt.io/ and open your workflow from the UI compare the client id associated with the trigger.

You can try also to generate access token directly from the trigger on the UI and then test your step 2 and 3 :

image
image454×635 17 KB

Make sure at step 3 that you use “Authorization: Bearer {Generate Access Token with Workflow trigger credential }”

3

Hi @baoussounda

Thanks, it worked.