Okta error with external IDP

Hi,
After successfull integration of social google and facebook IdP, I’m trying to integrate an external OIDC IdP but got an error.

Context :
I tried with okta hosted sign-in and npm sign in widget into my jhipster app but both did the same :
Authentication with keycloack is OK

First : I call my okta domain
https://auth.opt.nc/oauth2/default/v1/authorize?client_id=0oa13jgoqo16FZJRb357&display=page&idp=0oa13rr52mC4dSsJW357&nonce=0BJ4hLX0IMNW1VLNyBcDllrchVSGVzOrT9gKSghu7NQYPXBa5a21hZolildAE3u8&redirect_uri=http%3A%2F%2Fiam.lvh.me%3A9000%2Fimplicit%2Fcallback&response_mode=fragment&response_type=id_token%20token&state=2SjNEOzEW7NEitZiAQdYR5LLXtTCEySUveP62CYUMPzcu8UP5sytS8YULulXZvMI&scope=openid

302 to my external IDP :
https://connect-dev.gouv.nc/oidc/oauth/authorize?state=aFZWYkJUYWFpSGcrdGFDd3ZnZDRaSmdZOEhEYXM0ZmZVWlA3cnMza2NjbEdtTE5vMEFqVzVTZHpBbzNPcFJTNw&client_id=opt-iam-dev&response_type=code&login_hint&display=page&redirect_uri=https://auth.opt.nc/oauth2/v1/authorize/callback&scope=openid

302 to okta domain :
https://auth.opt.nc/oauth2/v1/authorize/callback?code=eyJhbGciOiJSUzUxMiJ9.eyJ1c2VyIjp7ImlkIjoiYjA2MmEzMmUtYTg3NC00N2ViLWI5MjQtNzdhODc4MWE1MTM1IiwibG9naW4iOiJraWhlbmljQG1haWxuZXQudG9wIiwibG9naW5BdCI6MTU3MjIzOTM3MTk1MX0sInJlcXVlc3QiOnsiY2xpZW50SWQiOiJvcHQtaWFtLWRldiIsInNjb3BlIjpbIm9wZW5pZCJdLCJyZXF1ZXN0UGFyYW1ldGVycyI6eyJsb2dpbl9oaW50IjoiIiwiZGlzcGxheSI6InBhZ2UiLCJzY29wZSI6Im9wZW5pZCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwic3RhdGUiOiJhRlpXWWtKVVlXRnBTR2NyZEdGRGQzWm5aRFJhU21kWk9FaEVZWE0wWm1aVldsQTNjbk16YTJOamJFZHRURTV2TUVGcVZ6VlRaSHBCYnpOUGNGSlROdyIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vYXV0aC5vcHQubmMvb2F1dGgyL3YxL2F1dGhvcml6ZS9jYWxsYmFjayIsImNsaWVudF9pZCI6Im9wdC1pYW0tZGV2In0sInJlc291cmNlSWRzIjpbXSwiYXBwcm92ZWQiOnRydWUsInJlZGlyZWN0VXJpIjoiaHR0cHM6Ly9hdXRoLm9wdC5uYy9vYXV0aDIvdjEvYXV0aG9yaXplL2NhbGxiYWNrIiwicmVzcG9uc2VUeXBlcyI6WyJjb2RlIl0sImV4dGVuc2lvbnMiOnt9fSwiYXVkIjoiY29ubmVjdC1jb2RlIiwiZXhwIjoxNTcyMjQwNzYzfQ.jl75HXm3yYRQ6wKyuuMBmLOC47iGRO0hB8NtCYrn7jrhHIO-KJO2UodULjVJGt5QXBdxnKps731GRtqC0yzsIkSigiWgbiEmbAgBswR2_kEBFldnZAB1ho3YgLazcTHGCdyCyJvMcapTj0yubjZNMgDn_eGGHxeq-329wDyLETGT8nHtkPFHlMXHy6X9mNoNs0MHf7nZJaholuYfuTKx3jkpomRG7ZxyK4M3dwsZYaNftfcVobzSMlYLsxis8do4Wm4_fVNH5LakoJ3SPxyGjP7q9TArdx6j_-Q4LG8Ho3dB5kYp8F6IT3gM_zZN4ZA71EsYllQoSJBgF2hdNyptxg&state=aFZWYkJUYWFpSGcrdGFDd3ZnZDRaSmdZOEhEYXM0ZmZVWlA3cnMza2NjbEdtTE5vMEFqVzVTZHpBbzNPcFJTNw

And here is my error :
http://iam.lvh.me:9000/implicit/callback#state=2SjNEOzEW7NEitZiAQdYR5LLXtTCEySUveP62CYUMPzcu8UP5sytS8YULulXZvMI&error=invalid_social_token&error_description=Could+not+acquire+access+token+from+authorization+code.

error: "invalid_social_token"
error_description: "Could not acquire access token from authorization code."

I read from another topic that this error happens when client_secret is wrong, but I check it and test it with curl and it’s OK.

The only difference I see with social IDP (which are successfull) is the code (from authorization_code) length :

  • 90 characters for social IDP
  • 1199 characters for external IDP

Can you help me please ?

Hi @KevinLasserre

How do you have the configuration set for user matching? You can find this under Admin >> Security >> Identity Providers >> click “Configure” >> Configure Identity Provider (if using the developer console, Users >> Social & Identity Providers >> click “Configure” >> Configure Identity Provider). From here, click “Show Advanced Settings”.

The configuration should look like the following:

Hi @dragos thank you for your help.
Yes I check your screen and i have the exact same configuration.
I observe two days in a row that connexion is succefull once a day, on the first try.
Every other try comes with the error mention before :
error: "invalid_social_token"
error_description: "Could not acquire access token from authorization code."
Moreover, log shows an internal NullPointerException :

Hi @KevinLasserre

Can you please open a support case through an email to developers@okta.com explaining the issue? Through a support case, we can further dig in the logs and narrow down the issue.

On the off chance someone else finds this, I ran into this issue as well. The external IDP should be configured to use Bearer or POST auth rather than basic or PKCE.

Hope that saves someone some time.

Hi Brian,

do you have an example oof whatt you mean?

I had my idp working before but not too sure when okta changed and it broke.

I hit this error too and the System Log was instrumental in tracking it down. Ultimately it was a different root cause from the OP and others who commented here.

Issuer is invalid in id_token

I’m using Auth0 and there needed to be a / at the end of the issuer URL.