I am in the process of setting up Okta sign-in for a few internal webapps at my organization, following the steps at Use nginx to Add Authentication to Any Application | Okta Developer to combine Okta.
My organization internally uses Okta Workforce Identity, however for this app buildout I am using a new Okta Customer Identity tenant so we can add external users as well. Sign-in with Oauth2 OpenID Connect to the apps behind Nginx is working correctly for users in my new Okta Customer Identity tenant. What is not working, however, is setting up Okta-to-Okta Social Login from our internal Okta Workforce Identity tenant to the new Okta Customer Identity tenant.
I set up the Okta-to-Okta Social Login following Create an App at the Identity Provider | Okta Developer and constructed a login URL according to the instructions for testing the integration.
When I attempt to login using the test URL against my Okta Customer Identity tenant, I am correctly redirected to my Okta Workforce Identity tenant and am able to sign in. My Workforce Identity tenant logs an OIDC access token is granted SUCCESS message and redirects back to my Customer Identity tenant to complete the sign-in; however, my Customer Identity tenant fails the sign-in and sends an error message on to my application. The URL that finally reaches my application is of the form https://my-app-vouch-proxy.example.com/auth#state=example&error=access_denied&error_description=The+UserInfo+response+is+invalid
In addition to this, my Customer Identity tenant logs an error message: FAILURE : The UserInfo response from the Identity Provider is invalid
Digging deeper into the error message log in the Customer Identity tenant, Event → System → DebugContext → DebugData → Errors reads: com.saasure.platform.services.idp.IdpAuthException$InvalidTokenException: com.saasure.platform.services.idp.exception.IdpAuthenticationException: Issuer is invalid in id_token
The symptoms seem nearly identical to those described by the following post, except that the resolution of that post does not work for me: Userinfo response from the Identity Provider is invalid
I have double-checked my Social Login settings in the Customer Identity tenant against my Workforce Identity tenant’s https://{theOktaIdPOrg}/.well-known/openid-configuration URL. I’m using the plain https://{theOktaIdPOrg}} as the Social Integration issuer URL
Other details:
- My Workforce Identity tenant is on a custom domain
- My new Customer Identity tenant is on a default Okta domain of the form dev-12345.okta.com
- The authentication flow seems to fail before it touches my Vouch Proxy server.