Hello Okta gurus!
I am trying to integrate a custom-built OIDC Identity Provider with Okta.
While performing an Auth Code Grant Flow, Okta redirects back to my web app with the following error:
error=invalid_social_token
error_description=Could not acquire access token from authorization code.
The Okta system logs don’t provide any clues on the underlying issue that I can see:
The authorization request to Okta looks like so:
https://dev-xxxxxxx.okta.com/oauth2/v1/authorize?idp=0oaXXXXXXXX5d7&client_id=0oa5XXXXXTyjIe5d7&scope=openid&redirect_uri=http://localhost:4200&response_type=code&response_mode=fragment&state=init
Once the user authenticates with the custom IDP, it redirects back to Okta with the state and the an IDP-provided auth code.
https://dev-xxxxxxx.okta.com/oauth2/v1/authorize/callback?state=xxxxx&code=yyyyyy
Okta then calls my custom IDP’s /token
endpoint with the IDP-provided auth code. The ID token that my custom IDP is returning looks like so (I have tried a lot of different options with it’s claims without success):
{
"exp": 1659190224,
"iat": 1659186624,
"iss": "https://....", << base url for my custom IDP
"aud": "0oa5XXXXXTyjIe5d7", << okta app client_id
"sub": "xxxx@yyyy.com", << Okta user who's account the custom IDP is authenticating
"email": "xxxx@yyyy.com", << Okta user who's account the custom IDP authenticating
"idpuser.email": "xxxx@yyyy.com", << Okta user who's account the custom IDP authenticating
"idp": "0oa5XXXXXXX5d7", << IDP id from Okta
"nonce": "C4b6J-HS-B6CXE8wy4wnYE8J5wuxZvmh". << nonce Okta provides when redirecting to my custom IDP's authorization endpoint.
}
The ID token is a JWT signed with a private key. The public key that is accessible to Okta using the IDP’s configured JWKS endpoint. The JWT and signature is fine according to jwt.io
The IDP account linking is configured like so:
I’ve been stuck on this for a couple of days now. If anyone can possibly assist or point me in a direction to troubleshoot further I would be eternally grateful. Thanks!