Okta-to-Okta Social Login fails: The UserInfo response from the Identity Provider is invalid

I am in the process of setting up Okta sign-in for a few internal webapps at my organization, following the steps at Use nginx to Add Authentication to Any Application | Okta Developer to combine Okta.

My organization internally uses Okta Workforce Identity, however for this app buildout I am using a new Okta Customer Identity tenant so we can add external users as well. Sign-in with Oauth2 OpenID Connect to the apps behind Nginx is working correctly for users in my new Okta Customer Identity tenant. What is not working, however, is setting up Okta-to-Okta Social Login from our internal Okta Workforce Identity tenant to the new Okta Customer Identity tenant.

I set up the Okta-to-Okta Social Login following Create an App at the Identity Provider | Okta Developer and constructed a login URL according to the instructions for testing the integration.

When I attempt to login using the test URL against my Okta Customer Identity tenant, I am correctly redirected to my Okta Workforce Identity tenant and am able to sign in. My Workforce Identity tenant logs an OIDC access token is granted SUCCESS message and redirects back to my Customer Identity tenant to complete the sign-in; however, my Customer Identity tenant fails the sign-in and sends an error message on to my application. The URL that finally reaches my application is of the form https://my-app-vouch-proxy.example.com/auth#state=example&error=access_denied&error_description=The+UserInfo+response+is+invalid

In addition to this, my Customer Identity tenant logs an error message: FAILURE : The UserInfo response from the Identity Provider is invalid

Digging deeper into the error message log in the Customer Identity tenant, Event → System → DebugContext → DebugData → Errors reads: com.saasure.platform.services.idp.IdpAuthException$InvalidTokenException: com.saasure.platform.services.idp.exception.IdpAuthenticationException: Issuer is invalid in id_token

The symptoms seem nearly identical to those described by the following post, except that the resolution of that post does not work for me: Userinfo response from the Identity Provider is invalid

I have double-checked my Social Login settings in the Customer Identity tenant against my Workforce Identity tenant’s https://{theOktaIdPOrg}/.well-known/openid-configuration URL. I’m using the plain https://{theOktaIdPOrg}} as the Social Integration issuer URL

Other details:

  • My Workforce Identity tenant is on a custom domain
  • My new Customer Identity tenant is on a default Okta domain of the form dev-12345.okta.com
  • The authentication flow seems to fail before it touches my Vouch Proxy server.

It sounds like the issuer URL might be wrong (or mismatched).

  • Can you login to the workforce Org
  • Navigate to the oidc application for your Org2Org
  • On the ‘Sign On’ tab in the ‘OpenId Connect Token’ section note the URL being used (custom or okta).
  • In the Customer Identity Org navigate to the the Org2Org idp you setup
  • Click configure->configure identity provider
  • Under ‘Endpoints’ make sure the issuer URL is the same from above. Also make sure there is no trailing slash

All the other endpoints should use the same FQDN as the issuer.

Hope that helps.

1 Like

Hello @erik, thanks for the response! It looks like the trailing slash was indeed the issue.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.