Token error - 400 sub system claim cant be evaluated

arung86 · February 13, 2021, 2:57pm

Not able to successfully login with self hosted widget

`

sigama · February 16, 2021, 11:59pm

Hi @arung86! The sub claim in the access token should be set to the userName attribute. Please make sure you have a claim “sub” in your access token set to (appuser != null) ? appuser.userName : app.clientId - see my example screenshot for guidance.

Security > API > Authorization Server > Claims

Lijia · February 18, 2021, 12:19am

@arung86 Hi, not sure if you figured out the issue. Besides checking the settings @sigama mentioned,
please make sure the user is assigned to the app and the policy is set up correctly.
Added similar resolved questions for your reference.

sigama · April 22, 2021, 12:25am

Update: un-assigning and reassigning the user to the app also resolves this issue.

Hassleboff · July 15, 2021, 4:44pm

Hi @Lijia , @sigama

Quick question…why does Okta set the sub claim in the access_token to the appuser.userName rather than user.id (sub set within the id_token)?

I’m asking because I have a .NET core web api (v3.1) and I’m trying to figure out how to link the various entities stored in my backend to the identity stored within Okta.

As shown below, will everyone of my backend entities that I’m persisting be linked to the ‘login’ below?

var principal = HttpContext.User.Identity as ClaimsIdentity;

var login = principal.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier)?.Value;

I should add that a react front-end is accessing the backend web api.

Thanks!

Lijia · July 27, 2021, 7:45pm

@Hassleboff
userId is the “sub” value in id token or the “uid” value in access token.
In access token, Okta set “sub” by default with “(appuser != null) ? appuser.userName : app.clientId”
You can see this configuration under claims tab.

For more details, you can check Final: OpenID Connect Core 1.0 incorporating errata set 1

Hassleboff · July 27, 2021, 8:24pm

@Lijia

Thank you for your reply. So with that said, two follow up questions:

Should I be using the uid claim or the sub claim (per the okta default, currently set to appuser.userName) from the access token when persisting entities within my backend repository for my application?
Is the uid claim alone enough to be unique, or does this need to be combined with the iss claim (social logins)?

Lijia · July 27, 2021, 8:35pm

From access token, sub = (appuser != null) ? appuser.userName : app.clientId. It depends on if you have duplicated usernames, for example, duplicated email addresses. uid is safe to use.
uid is user id. Yes. User ID’s are randomly generated on user creation and unique across all Okta tenants.
For more info, you can check reference: