Okta error with external IDP

Questions
1

Hi,
After successfull integration of social google and facebook IdP, I’m trying to integrate an external OIDC IdP but got an error.

Context :
I tried with okta hosted sign-in and npm sign in widget into my jhipster app but both did the same :
Authentication with keycloack is OK

First : I call my okta domain
https://auth.opt.nc/oauth2/default/v1/authorize?client_id=0oa13jgoqo16FZJRb357&display=page&idp=0oa13rr52mC4dSsJW357&nonce=0BJ4hLX0IMNW1VLNyBcDllrchVSGVzOrT9gKSghu7NQYPXBa5a21hZolildAE3u8&redirect_uri=http%3A%2F%2Fiam.lvh.me%3A9000%2Fimplicit%2Fcallback&response_mode=fragment&response_type=id_token%20token&state=2SjNEOzEW7NEitZiAQdYR5LLXtTCEySUveP62CYUMPzcu8UP5sytS8YULulXZvMI&scope=openid

302 to my external IDP :
https://connect-dev.gouv.nc/oidc/oauth/authorize?state=aFZWYkJUYWFpSGcrdGFDd3ZnZDRaSmdZOEhEYXM0ZmZVWlA3cnMza2NjbEdtTE5vMEFqVzVTZHpBbzNPcFJTNw&client_id=opt-iam-dev&response_type=code&login_hint&display=page&redirect_uri=https://auth.opt.nc/oauth2/v1/authorize/callback&scope=openid

302 to okta domain :
https://auth.opt.nc/oauth2/v1/authorize/callback?code=eyJhbGciOiJSUzUxMiJ9.eyJ1c2VyIjp7ImlkIjoiYjA2MmEzMmUtYTg3NC00N2ViLWI5MjQtNzdhODc4MWE1MTM1IiwibG9naW4iOiJraWhlbmljQG1haWxuZXQudG9wIiwibG9naW5BdCI6MTU3MjIzOTM3MTk1MX0sInJlcXVlc3QiOnsiY2xpZW50SWQiOiJvcHQtaWFtLWRldiIsInNjb3BlIjpbIm9wZW5pZCJdLCJyZXF1ZXN0UGFyYW1ldGVycyI6eyJsb2dpbl9oaW50IjoiIiwiZGlzcGxheSI6InBhZ2UiLCJzY29wZSI6Im9wZW5pZCIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwic3RhdGUiOiJhRlpXWWtKVVlXRnBTR2NyZEdGRGQzWm5aRFJhU21kWk9FaEVZWE0wWm1aVldsQTNjbk16YTJOamJFZHRURTV2TUVGcVZ6VlRaSHBCYnpOUGNGSlROdyIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vYXV0aC5vcHQubmMvb2F1dGgyL3YxL2F1dGhvcml6ZS9jYWxsYmFjayIsImNsaWVudF9pZCI6Im9wdC1pYW0tZGV2In0sInJlc291cmNlSWRzIjpbXSwiYXBwcm92ZWQiOnRydWUsInJlZGlyZWN0VXJpIjoiaHR0cHM6Ly9hdXRoLm9wdC5uYy9vYXV0aDIvdjEvYXV0aG9yaXplL2NhbGxiYWNrIiwicmVzcG9uc2VUeXBlcyI6WyJjb2RlIl0sImV4dGVuc2lvbnMiOnt9fSwiYXVkIjoiY29ubmVjdC1jb2RlIiwiZXhwIjoxNTcyMjQwNzYzfQ.jl75HXm3yYRQ6wKyuuMBmLOC47iGRO0hB8NtCYrn7jrhHIO-KJO2UodULjVJGt5QXBdxnKps731GRtqC0yzsIkSigiWgbiEmbAgBswR2_kEBFldnZAB1ho3YgLazcTHGCdyCyJvMcapTj0yubjZNMgDn_eGGHxeq-329wDyLETGT8nHtkPFHlMXHy6X9mNoNs0MHf7nZJaholuYfuTKx3jkpomRG7ZxyK4M3dwsZYaNftfcVobzSMlYLsxis8do4Wm4_fVNH5LakoJ3SPxyGjP7q9TArdx6j_-Q4LG8Ho3dB5kYp8F6IT3gM_zZN4ZA71EsYllQoSJBgF2hdNyptxg&state=aFZWYkJUYWFpSGcrdGFDd3ZnZDRaSmdZOEhEYXM0ZmZVWlA3cnMza2NjbEdtTE5vMEFqVzVTZHpBbzNPcFJTNw

And here is my error :
http://iam.lvh.me:9000/implicit/callback#state=2SjNEOzEW7NEitZiAQdYR5LLXtTCEySUveP62CYUMPzcu8UP5sytS8YULulXZvMI&error=invalid_social_token&error_description=Could+not+acquire+access+token+from+authorization+code.

error: "invalid_social_token"
error_description: "Could not acquire access token from authorization code."

I read from another topic that this error happens when client_secret is wrong, but I check it and test it with curl and it’s OK.

The only difference I see with social IDP (which are successfull) is the code (from authorization_code) length :

  • 90 characters for social IDP
  • 1199 characters for external IDP

Can you help me please ?

2

Hi @KevinLasserre

How do you have the configuration set for user matching? You can find this under Admin >> Security >> Identity Providers >> click “Configure” >> Configure Identity Provider (if using the developer console, Users >> Social & Identity Providers >> click “Configure” >> Configure Identity Provider). From here, click “Show Advanced Settings”.

The configuration should look like the following:

Capture
Capture.PNG557×593 23.6 KB

3

Hi @dragos thank you for your help.
Yes I check your screen and i have the exact same configuration.
I observe two days in a row that connexion is succefull once a day, on the first try.
Every other try comes with the error mention before :
error: "invalid_social_token"
error_description: "Could not acquire access token from authorization code."
Moreover, log shows an internal NullPointerException :

CaptureOkta
CaptureOkta.PNG962×890 86.4 KB

4

Hi @KevinLasserre

Can you please open a support case through an email to developers@okta.com explaining the issue? Through a support case, we can further dig in the logs and narrow down the issue.

5

On the off chance someone else finds this, I ran into this issue as well. The external IDP should be configured to use Bearer or POST auth rather than basic or PKCE.

Hope that saves someone some time.

1 Like
6

Hi Brian,

do you have an example oof whatt you mean?

I had my idp working before but not too sure when okta changed and it broke.

7

I hit this error too and the System Log was instrumental in tracking it down. Ultimately it was a different root cause from the OP and others who commented here.

Issuer is invalid in id_token

I’m using Auth0 and there needed to be a / at the end of the issuer URL.

Screen Shot 2021-10-22 at 4.19.57 PM
Screen Shot 2021-10-22 at 4.19.57 PM1033×863 91.8 KB

Screen Shot 2021-10-22 at 4.27.42 PM
Screen Shot 2021-10-22 at 4.27.42 PM1067×1001 88.8 KB

Screen Shot 2021-10-22 at 4.26.24 PM
Screen Shot 2021-10-22 at 4.26.24 PM1195×805 95.3 KB

2 Likes
8

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.