FAILURE: Unable to retrieve an access token for the identity provider


I am trying to make Azure as an OIDC IDO for Okta, I followed the instructions here: Enterprise Identity Provider | Okta Developer
In the end, the error that I am getting is: FAILURE: Unable to retrieve an access token for the identity provider.
I checked 3 times the links inside Okta, to match the ones from Azure, and the redirect URI from Azure to match the one coming from Okta.
This is the expanded logs, but I didn’t see much that can help.

I thought that this might be the issues, but it seems like it didn’t help at all.

I suspect that the issue it’s on the Azure side? I am just trying to make sure I didn’t miss anything on Okta’s side.

Thank you,

I was able to find this error in our logs and it looks like Okta received a 401 back from the IdP when we attempted to exchange the authorization code for tokens.

Can you double check that the Authorization and Token endpoints your provided to Okta are correct and that the Client ID and Client Secret were correctly copied over from Azure?

Thankfully, I was able to make it work after checking the links.

Thank you so much @andrea !
One last question if you can assist.
I am trying to send the the user’s groups through Claims from Azure to Okta, and map them to an attribute.
I did the following:
→ added a groups attributes in the IDP user profile
→ Added 2 custom attributes in Okta, one string, one string arry, and mapped groups to both of them just to rule out any problems with the data type.
→ Update user attributes is checked.
→ Added group clam in Azure

But unfortunately, it doesn’t map them to the Okta user profile.

1 Like

When you created the groups attribute for the IdP User profile, was Okta able to find the attribute by polling AD for the schema, or did you set the external name (which would be the claim name) yourself?

Did you ensure that you mapped the attribute from the IdP User Profile into the Okta User/UD User profile?

@andrea Hello and thank you for your reply.

I added the attribute manually, by using “groups” as the external name, as I didn’t see any way to create it by polling ad for the schema, and this was the advice I received from the support team some time ago.

The attribute from the IDP Profile is mapped to two attributes in the Okta user profile, one string and one string array.