The UserInfo response is invalid. When trying to use custom external oidc IDP as a custom authenticator

Hi,

I have a external oidc IDP that I’m trying to use as a factor Identity Provider. Its custom so I’m creating the endpoints for okta to interact with so that it can be used as a second factor authenticator. I return a JWT token as a id_token from the token endpoint and Okta system admin logs shows the following error:
[FAILURE]: The UserInfo response is invalid.

I’m trying to understand what specifically is invalid about the UserInfo response.

I tried to provide the optional “/userinfo” endpoint and return an access_token from the “/token” endpoint. When okta reaches out to the “/userinfo” endpoint, I receive the same error when providing userprofile info.

A example of the claims I return as part of the user profile are below, am I missing something here? Thank you!

{
“aud”: “c23264d3-e4d1-4a18-af6f-1cdaf1b6f1b2”,
“exp”: 1734243152,
“jti”: “2120e5c4-6d64-4f32-bece-cc59026d403b”,
“iat”: 1734239552,
“iss”: “”,
“sub”: “898f3fbd-1e21-43ad-b85e-3d213b785b4e”,
“nonce”: “ioIFuxSmHmn_-Zf7Qd4gPVsxcCnW49YD”,
“email”: “haris@nametagexample.com”,
“email_verified”: true,
“amr”: [
“password”
],
“auth_time”: 1734239552,
“idp”: “00ok1u7AsAkrwdZL3z0g3”,
“ver”: “1”
}

I have verified that the nonce is preserved as to what okta provides when calling the /authorize endpoint. the aud is the client id that is also passed in via okta. the iss is what I have configured in the idp configuration. The scopes requested are openid and email.
Am I missing something? Is there a way to get more detailed logs as to what it doesn’t like about the user info being provided?

Appreciate the help

I figured out the issue. preferred_username is a required claim which I was missing

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.