question

YashwanthYenugu-6438 avatar image
YashwanthYenugu-6438 asked ·

'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.

I've integrated Okta as an external OIDC IDP in B2C custom Policies. I got the following error after logging in to the Okta and got redirected back to my .net core application.

Message contains error: 'invalid_request', error_description: 'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
', error_uri: 'error_uri is null'.

What are token & issuer which are mentioned in the error.

azure-ad-b2c
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@YashwanthYenugu-6438 Issue resolved by changing PartnerClaimType of issuerUserId from "id" to "sub" as mentioned below:

< OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" / >

The reason is, If you reference OIDC metadata endpoint URL, you will see sub as supported claim and not id.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@YashwanthYenugu-6438 The error appears to be due to a mismatch between the value of the issuer configured in Okta technical profile within your custom policy and the issuer field in the token issued by Okta.

If you navigate to Okta technical profile, you should see a Metadata tag where you might have OIDC metadata endpoint URL ending with /.well-known/openid-configuration. Access that URL and compare the issuer value with the token issued by Okta.

You may also have <Item Key="ValidTokenIssuerPrefixes"> under metadata parameter. If you have configured it, make sure the issuer value in the token matches with this parameter.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

7 comments Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YashwanthYenugu-6438 avatar image YashwanthYenugu-6438 ·

I've navigated to the OIDC metadata endpoint URL ending with /.well-known/openid-configuration and got the issuer value, but how to capture the token issued by Okta to compare the issuer value.

0 Votes 0 · ·
amanpreetsingh-msft avatar image amanpreetsingh-msft YashwanthYenugu-6438 ·

@YashwanthYenugu-6438 You need to capture fiddler trace for this purpose. Please follow below instructions to capture a fiddler trace:

Setup:

To get traces:

  • Start fiddler (it will start capturing)

  • Repro the issue.

  • Stop fiddler capturing by hitting the F12 key.

  • Save all sessions in .saz file and send via email to azcommunity[at]microsoft[dot]com. I will analyze the capture and let you know.

0 Votes 0 · ·
amanpreetsingh-msft avatar image amanpreetsingh-msft ·

@YashwanthYenugu-6438 Have you had a chance to capture and share the fiddler?

0 Votes 0 · ·
YashwanthYenugu-6438 avatar image YashwanthYenugu-6438 amanpreetsingh-msft ·

@amanpreetsingh-msft Yes, I've captured and shared that in mail. I didn't get any response back.

0 Votes 0 · ·
amanpreetsingh-msft avatar image amanpreetsingh-msft YashwanthYenugu-6438 ·

@YashwanthYenugu-6438, I couldn't find your email. Could you please send it again including the thread URL?

0 Votes 0 · ·
Show more comments