Problem statement
When trying to create OIDC connections via CLI or Dashboard, different discovery URLs throw the same error:
Bad Request: “options.issuer” is required
The discovery URL returns the “issuer” field.
Symptoms
A customer is trying to create OIDC connections via CLI or Dashboard.
Different discovery URLs throw the same error:
Bad Request: “options.issuer” is required
But the discovery URL returns the “issuer” field.
Steps to reproduce
Try to create front channel OIDC with any of these:
- https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
- https://accounts.google.com/.well-known/openid-configuration
Cause
- The URL https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration is invalid because it contains an invalid issuer (“issuer”:“https://login.microsoftonline.com/{tenantid}/v2.0”) (the {tenantid} is causing the Issue)
- Use the well-known URL with the specific Azure tenant ID, e.g., https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0/.well-known/openid-configuration.
- Please check this document for reference.
- The URL https://accounts.google.com/.well-known/openid-configuration only works if options.type: “back_channel”, as this endpoint does nyt advertise response_modes_supported
Solution
There is a feature flag that can be enabled by Okta’s Engineering Team that can be enabled to roll back the new schemas for discovery validations when creating OIDC connections. If this is something desired, please open a case with Okta Support referencing this article in the case description.