Okta is not hitting my /token endpoint after successful authentication via external IdP and custom domain

timhwang21 · October 4, 2025, 1:04am

Hello,

I am building an external IdP integration using OIDC. My flow involves:

hitting my /authorization_endpoint, which redirects to the Okta-provided redirect URL with an authorization code
I expect Okta to then call my /tokenendpoint with the code

However, I am noticing that Okta is not calling /token at all, based both on network logs and application logs. I have previously dealt with errors where my /token endpoint was returning a value Okta considered invalid; however this time I am positive that Okta is returning the error message without attempting to call /token at all.

An error log is emitted in Okta:

  "debugContext": {
    "debugData": {
      "authnRequestId": "0865fc9d73a8bc30070c706dfc53c0c5",
      "requestId": "5c2bee2ed38b7f02592cb720be558d80",
      "dtHash": "f5df74d13ad592b2bd853b45cfb428ddff8c379ac57f2c86ad2296fdf30c628e",
      "requestUri": "/oauth2/v1/authorize/callback",
      "threatSuspected": "false",
      "errors": "com.saasure.platform.services.idp.exception.IdpAuthenticationException: Could not obtain access token from OIDC. Reason: ",
      "url": "/oauth2/v1/authorize/callback?code=******&state=bUlURXlZQUJIZDRGeWFSS3JudzFlM2JjNEE5YW5BZXYzZ2JtK2NuRG9hT25iYnZid09PSGFndjhzaHNBSjhHdA"
    }
  },

Note the empty reason in the ”errors” field.

Further error messages in logs include "Unable to retrieve an access token for the Identity Provider" and "core.user_auth.idp.social.cannot_acquire_access_token".

My IdP configuration in Okta is extremely simple and follows the instructions linked above. (IdP usage is ‘Factor only’, and all other settings are the defaults.)

I suspect the issue is that one tenant I am testing this integration in has a custom domain. On the IdP screen, Authorize URL is reported as https://oktapreview.mysite.com, while the Redirect URL is reported as https://mysite.oktapreview.com. I have compared to another test tenant with no custom domain, and the integration works as expected. Again I suspect the custom domain is the issue, but there may be another discrepancy in my tenants I have not yet identified. Does the starting (authorize) and ending (redirect) URL need to be the same for Okta to proceed with the authorization code and hit /token?

Any further insight would be appreciated; due to the lack of clarity in the error message it is difficult to investigate further. Thank you!

timhwang21 · October 6, 2025, 4:32pm

The issue was on our end; there was a client ID and secret mismatch. A clearer error message here would be valuable!

Post		Replies	Views
Invalid_social_token - Could not acquire access token from authorization code OAuth/OIDC	2	5722	August 1, 2022
Confirm OKTA /w External IdP Flow Questions	3	4413	January 18, 2024
Trouble calling /token Questions	2	4811	June 6, 2020
Creating token with authorization code Questions	3	4343	January 25, 2024
Redirecting to Call Back url with ID token and acess token Questions	1	4925	January 12, 2024

Okta is not hitting my /token endpoint after successful authentication via external IdP and custom domain

Related topics