'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.

Yashwanth Yenugu 116 Reputation points
2020-03-30T09:14:58.51+00:00

I've integrated Okta as an external OIDC IDP in B2C custom Policies. I got the following error after logging in to the Okta and got redirected back to my .net core application.

Message contains error: 'invalid_request', error_description: 'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
', error_uri: 'error_uri is null'.

What are token & issuer which are mentioned in the error.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,610 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2020-04-14T14:24:54.583+00:00

    @Yashwanth Yenugu Issue resolved by changing PartnerClaimType of issuerUserId from "id" to "sub" as mentioned below:

    < OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" / >

    The reason is, If you reference OIDC metadata endpoint URL, you will see sub as supported claim and not id.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,286 Reputation points
    2020-03-30T12:28:35.123+00:00

    @Yashwanth Yenugu The error appears to be due to a mismatch between the value of the issuer configured in Okta technical profile within your custom policy and the issuer field in the token issued by Okta.

    If you navigate to Okta technical profile, you should see a Metadata tag where you might have OIDC metadata endpoint URL ending with /.well-known/openid-configuration. Access that URL and compare the issuer value with the token issued by Okta.

    You may also have <Item Key="ValidTokenIssuerPrefixes"> under metadata parameter. If you have configured it, make sure the issuer value in the token matches with this parameter.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.