Using my own identity provider, it fails to sign in but then tries to connect to user info and throws an invalid user info

I am trying to use Okta with my own identity provider (OIdConnect). I have created an Identity Provider in Okta with matching client IDs and filled in the various endpoints to my application (currently localhost, served over ngrok).

My application also has a redirect back to Oktas link below
(okta domain )/oauth2/v1/authorize/callback .

I have then created a new routing rule where I simply use the identity provider I created above. When I test this by going into incognito and then using the url dev-xxxx(com), it brings me to

  1. Signing into Okta Dashboard
  2. Throws an error (There was a problem signing you into your identity provider. Please contact your administrator for help.)
  3. The UserInfo Response is Invalid.

I am slightly confused where the issue is, as all of the responses are 200 and my user info response contains the sub, email and iss. The iss matches the one inside my Okta configuration without any trailing slashes.

Update: I believe the issue actually lies in the There was a problem signing you into your identity provider. Please contact your administrator for help. How do I go about getting details of this error?

When I inspect the network packt, I see these thing a 302 GET to a dev-domain(okta com) with the Filename /login/error/redirect. Inspecting the location gives me the Okta domain + /login/error/redirect. In the location, it calls location
/enduser/callback?state=xxx&error=access_denied&error_description=The+UserInfo+response+is+invalid.

Is this a failure in terms of login in or the userinfo response? My user info response seems to follow the format.

Hello @desmond,

Assuming your IdP is OIDC compliant (see Certification - OpenID Foundation), it sounds possible that the /userinfo call is specifically causing problems. As this is optional for a custom OIDC IdP, can you please try removing that from your settings to see if it resolves the issue?

1 Like

Hi Daniel!

I have removed the /userinfo inside my IDP settings in Okta already. I noticed looking at the logs provided that there is an error that says

com.saasure.platform.services.idp.exception.IdpAuthenticationException: Nonce is invalid in id_token

I believe I failed to include the Nonce value in my id_token when creating the JWT. However, I am now struggling to find out where the Nonce value should be returned. I understand the first call to my /authorize endpoint, Okta provides a nonce. Is this the same nonce that should be included inside my id_token?

Thank you and I appreciate the reply!

Update: After storing the nonce from the first /authorize endpoint call and setting it inside the claims when generated when the id_token is called, I seem to have made some progress. Am now currently facing the error below, which hopefully means I have solved one problem and am facing the next one.

java.lang.IllegalArgumentException: RSA modulus is even