Okta as an external Identity Provider produces "invalid_social_token" error

I am trying to get an Okta org to trust another by setting up one as an IDP and using the other on my client of an SPA.

The IDP has an application that follows:

The client has an Identity Provider set up like this:

I can’t verify the client secret is the same because its obfuscated on the IDP page without a show button but I’m reasonably confident they are.

The client then has an SPA app set up like this.

There is also route rules for IDP discovery set up as well but I don’t think its necessary to show that configuration here.

When I attempt to log into my client SPA with an account from the IDP i receive this error:

The system log from the Client shows this error:

DebugData

The IDP system log is showing successes as shown below:

I’m happy to provide any other information or logs necessary.

Hi @nickolasfisher ,

One thing I notice is that the “JWKS endpoint” in your config is incorrect.
It should be https://dev-51519050.okta.com/oauth2/default/v1/keys (missing /default)

If that doesn’t fix the issue,
I would also try to use the org issuer instead of the default issuer you are trying.
i.e. Issuer - https://dev-51519050.okta.com
Authorization endpoint - https://dev-51519050.okta.com/oauth2/v1/authorize etc…

Here’s my config in the downstream web app for example -

Screen Shot 2022-06-08 at 11.20.01 AM

Hope this helps.

Thank you @vijet that gets me most of the way there. I was getting crossed up between what was in https://${theIdPdomain}/.well-known/openid-configuration vs what [Add an external Identity Provider | Okta Developer](this article) says

Now I’m having an issue hitting the userInfo endpoint it seems. If I leave that field blank I get this error on JIT:

If I try to use the userInfo endpoint I get this

For clarity I’ve use these settings:

image

And these

image

Can you ensure you’re requesting the ‘profile’ scope in the IdP config?

Hi @andrea

I am requesting the profile scope:

image

I thought it might have to do with the profile mappings, this is my current setup, very close if not identical to the default

Hi @andrea and @vijet

Checking to see if you’ve been able to identify a potential solution. I’ve checked the mappings in the IDP and from the IDP to the client.

I also noticed the message on the IDP configuration

JIT account creation and activation only works for users who are not already Okta users.

So I attempted to disable the Account Linking but that resulted in the same error