Okta as an external Identity Provider produces "invalid_social_token" error

Questions
1

I am trying to get an Okta org to trust another by setting up one as an IDP and using the other on my client of an SPA.

The IDP has an application that follows:

image
image626×852 32.1 KB

The client has an Identity Provider set up like this:

image
image535×659 22.3 KB

I can’t verify the client secret is the same because its obfuscated on the IDP page without a show button but I’m reasonably confident they are.

The client then has an SPA app set up like this.

image
image763×809 28.9 KB

There is also route rules for IDP discovery set up as well but I don’t think its necessary to show that configuration here.

When I attempt to log into my client SPA with an account from the IDP i receive this error:

image
image794×668 20.3 KB

The system log from the Client shows this error:

DebugData

The IDP system log is showing successes as shown below:

image
image1031×654 56.6 KB

I’m happy to provide any other information or logs necessary.

2

Hi @nickolasfisher ,

One thing I notice is that the “JWKS endpoint” in your config is incorrect.
It should be https://dev-51519050.okta.com/oauth2/default/v1/keys (missing /default)

If that doesn’t fix the issue,
I would also try to use the org issuer instead of the default issuer you are trying.
i.e. Issuer - https://dev-51519050.okta.com
Authorization endpoint - https://dev-51519050.okta.com/oauth2/v1/authorize etc…

Here’s my config in the downstream web app for example -

Screen Shot 2022-06-08 at 11.20.01 AM

Hope this helps.

3

Thank you @vijet that gets me most of the way there. I was getting crossed up between what was in https://${theIdPdomain}/.well-known/openid-configuration vs what [Add an external Identity Provider | Okta Developer](this article) says

Now I’m having an issue hitting the userInfo endpoint it seems. If I leave that field blank I get this error on JIT:

If I try to use the userInfo endpoint I get this

For clarity I’ve use these settings:

image

And these

image

4

Can you ensure you’re requesting the ‘profile’ scope in the IdP config?

5

Hi @andrea

I am requesting the profile scope:

image

I thought it might have to do with the profile mappings, this is my current setup, very close if not identical to the default

image
image1023×782 51.4 KB

6

Hi @andrea and @vijet

Checking to see if you’ve been able to identify a potential solution. I’ve checked the mappings in the IDP and from the IDP to the client.

I also noticed the message on the IDP configuration

JIT account creation and activation only works for users who are not already Okta users.

So I attempted to disable the Account Linking but that resulted in the same error

7

I checked our logs for your previous failure

and I’m seeing a report that we encountered a 405 when trying to get the user profile information, but not sure why that would happen when we hit the Userinfo endpoint.

Can you share the way the profile for your IdP user is configured? I’m curious if there’s something wrong with the way the firstName and lastName attributes (since we require those to JIT the user) is getting mapped in from OIDC.

They should look something like this (where the External name is equivalent to the OIDC claim name that contains the value):

Screen Shot 2022-07-08 at 5.04.00 PM
Screen Shot 2022-07-08 at 5.04.00 PM1486×1284 70.1 KB

Screen Shot 2022-07-08 at 5.04.08 PM
Screen Shot 2022-07-08 at 5.04.08 PM1504×1288 64.5 KB