Troubleshooting OAuth2 and OIDC error responses

Owned by Keith Uber
Last updated: 2021-04-12
2 min read

Problem

An OAuth2 or OIDC endpoint is returning an error. What could be the possible causes?

Solution

Possible error messages on authorization endpoint for authorization code flow (HTTP 400 errors)

The client ID used in the request does not exist or has been inactivated. (HTTP 400 Error)

The requested agent was not found

The value of the redirect_url parameter does not match a registered allowed redirect_uri in the redirect_uris parameter of the application metadata. (HTTP 400 Error)

Invalid ticket request: redirect_uri

The response_type value is not set to code or other mandatory values missing. (HTTP 400 Error)

Invalid ticket request: invalid_request

Possible error messages on token endpoint (HTTP 400 errors)

The authorization code is missing completely. (HTTP 400 Error)

{"error_description":"Missing parameters: code","error":"invalid_request"}

The authorization code is incomplete or has expired. Make sure the token is complete and no part has been truncated or modified by, for example, erroneous encoding. (HTTP 400 Error)

{"error_description":"Integrity verification failed","error":"invalid_grant"}

If the client_id is not valid. (HTTP 400 Error)

{"error_description":"Client credentials are invalid","error":"access_denied"}

If the secret is wrong but the client_id is valid. (HTTP 400 Error)

{"error_description":"Client secret is invalid","error":"invalid_client"}


Possible error messages on userinfo endpoint

If the request is missing "Authorization: BEARER xxxxx" format in request. (HTTP 400 Error)

{"error_description":"Incorrect authorization method."}

If the token is signed and reads ok, but has expired or not appropriate (not a JWT). (HTTP 400 Error)

{"error_description":"Token is invalid","error":"invalid_token"}

If the token looks like a JWT token but the signature is invalid. Make sure the token is complete and no part has been truncated or modified by, for example, erroneous encoding. (HTTP 400 Error)

{"error_description":"Integrity verification failed","error":"invalid_token"}

Possible error messages on introspection endpoint

If the client_id is not valid (HTTP 400 Error)

{"error_description":"Client credentials are invalid","error":"access_denied"}

If the secret is wrong but the client_id is valid (HTTP 400 Error)

{"error_description":"Client secret is invalid","error":"invalid_client"}

If the access token is malformed, expired, or the doesn't have the scope of the client_id used for introspection. Try to use the token on the userinfo endpoint, if you get a response there, it indicates that the token doesn't have the scope of the client_id used for introspection.

{"active":false}

If there is no token parameter in the request

{"error_description":"Missing parameters: token","error":"invalid_request"}




Ubisecure Privacy Policy & Cookie Statement