Token error - 400 sub system claim cant be evaluated

Not able to successfully login with self hosted widget


Hi @arung86! The sub claim in the access token should be set to the userName attribute. Please make sure you have a claim “sub” in your access token set to (appuser != null) ? appuser.userName : app.clientId - see my example screenshot for guidance.

Security > API > Authorization Server > Claims

@arung86 Hi, not sure if you figured out the issue. Besides checking the settings @sigama mentioned,
please make sure the user is assigned to the app and the policy is set up correctly.
Added similar resolved questions for your reference.

Update: un-assigning and reassigning the user to the app also resolves this issue.

1 Like

Hi @Lijia , @sigama

Quick question…why does Okta set the sub claim in the access_token to the appuser.userName rather than (sub set within the id_token)?

I’m asking because I have a .NET core web api (v3.1) and I’m trying to figure out how to link the various entities stored in my backend to the identity stored within Okta.

As shown below, will everyone of my backend entities that I’m persisting be linked to the ‘login’ below?

var principal = HttpContext.User.Identity as ClaimsIdentity;

var login = principal.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier)?.Value;

I should add that a react front-end is accessing the backend web api.


userId is the “sub” value in id token or the “uid” value in access token.
In access token, Okta set “sub” by default with “(appuser != null) ? appuser.userName : app.clientId”
You can see this configuration under claims tab.

For more details, you can check Final: OpenID Connect Core 1.0 incorporating errata set 1


Thank you for your reply. So with that said, two follow up questions:

  1. Should I be using the uid claim or the sub claim (per the okta default, currently set to appuser.userName) from the access token when persisting entities within my backend repository for my application?

  2. Is the uid claim alone enough to be unique, or does this need to be combined with the iss claim (social logins)?

  1. From access token, sub = (appuser != null) ? appuser.userName : app.clientId. It depends on if you have duplicated usernames, for example, duplicated email addresses. uid is safe to use.
  2. uid is user id. Yes. User ID’s are randomly generated on user creation and unique across all Okta tenants.
    For more info, you can check reference: