'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.

Question

'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.

Yashwanth Yenugu 111

I've integrated Okta as an external OIDC IDP in B2C custom Policies. I got the following error after logging in to the Okta and got redirected back to my .net core application.

Message contains error: 'invalid_request', error_description: 'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.
', error_uri: 'error_uri is null'.

What are token & issuer which are mentioned in the error.

Answer 1

@Yashwanth Yenugu Issue resolved by changing PartnerClaimType of issuerUserId from "id" to "sub" as mentioned below:

< OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" / >

The reason is, If you reference OIDC metadata endpoint URL, you will see sub as supported claim and not id.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Answer 2

AmanpreetSingh-MSFT 55,366

@Yashwanth Yenugu The error appears to be due to a mismatch between the value of the issuer configured in Okta technical profile within your custom policy and the issuer field in the token issued by Okta.

If you navigate to Okta technical profile, you should see a Metadata tag where you might have OIDC metadata endpoint URL ending with /.well-known/openid-configuration. Access that URL and compare the issuer value with the token issued by Okta.

You may also have <Item Key="ValidTokenIssuerPrefixes"> under metadata parameter. If you have configured it, make sure the issuer value in the token matches with this parameter.

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Yashwanth Yenugu 111 Reputation points

2020-04-06T07:54:18.49+00:00

I've navigated to the OIDC metadata endpoint URL ending with /.well-known/openid-configuration and got the issuer value, but how to capture the token issued by Okta to compare the issuer value.
AmanpreetSingh-MSFT 55,366 Reputation points

2020-04-06T09:23:13.963+00:00
@Yashwanth Yenugu You need to capture fiddler trace for this purpose. Please follow below instructions to capture a fiddler trace:

Setup:

Download and install Fiddler from here: https://www.telerik.com/fiddler

Follow these instructions to enable HTTPS capture: https://docs.telerik.com/fiddler/configure-fiddler/tasks/DecryptHTTPS (do step 1 and 2)

To get traces:

Start fiddler (it will start capturing)

Repro the issue.

Stop fiddler capturing by hitting the F12 key.

Save all sessions in .saz file and send via email to azcommunity[at]microsoft[dot]com. I will analyze the capture and let you know.
AmanpreetSingh-MSFT 55,366 Reputation points

2020-04-09T05:21:19.72+00:00

@Yashwanth Yenugu Have you had a chance to capture and share the fiddler?
Yashwanth Yenugu 111 Reputation points

2020-04-10T10:57:49.223+00:00

@AmanpreetSingh-MSFT Yes, I've captured and shared that in mail. I didn't get any response back.
AmanpreetSingh-MSFT 55,366 Reputation points

2020-04-13T12:21:54.48+00:00

@Yashwanth Yenugu , I couldn't find your email. Could you please send it again including the thread URL?
Yashwanth Yenugu 111 Reputation points

2020-04-13T16:29:23.17+00:00

@AmanpreetSingh-MSFT , I've sent the mail, Please acknowledge. Thanks.
AmanpreetSingh-MSFT 55,366 Reputation points

2020-04-13T19:17:04.08+00:00

@Yashwanth Yenugu , Received your email and I have replied to it.

'AADB2C90238: The provided token does not contain a valid issuer. Please provide another token and try again.

1 additional answer

Activity