Creating an OIDC Connection Fails with "options.issuer is required" Error

Overview

When trying to create OIDC connections via CLI or Dashboard, different discovery URLs throw the same error:

Bad Request: “options.issuer” is required

The discovery URL returns the “issuer” field.

Cause

• The URL https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration is invalid because it contains an invalid issuer (“issuer”:“https://login.microsoftonline.com/{tenantid}/v2.0”) (the {tenantid} is causing the Issue)
• Use the well-known URL with the specific Azure tenant ID, e.g., https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0/.well-known/openid-configuration.
• Refer to the Microsoft article on OpenID configuration document URI.
• The URL https://accounts.google.com/.well-known/openid-configuration only works if options.type: “back_channel”, as this endpoint does not advertise response_modes_supported.

Solution

If there is a working discovery endpoint, create this connection with the Management API POST /api/v2/connections.

The workaround is to paste the entire response payload from the IDP’s discovery endpoint into options.oidc_metadata and do not send options.discovery_url.

“options”: {
“issuer”:“”
“type”:“front_channel”,
“client_id”:“”,
“jwks_uri”:“,
“authorization_endpoint”:”",
“oidc_metadata”:{RESPONSE OBJECT FROM THE DISCOVERY ENDPOINT}
},

Note that there is a feature flag that can be enabled by Okta’s Engineering Team that can be enabled to roll back the new schemas for discovery validations when creating OIDC connections. If this is something desired, please open a case with Okta Support referencing this article in the case description.

My name is Shane Tomlinson, I am from the Enterprise Federations team which is responsible for supporting the OIDC connection. For anybody that comes across this article hoping to use the Microsoft Common URL with an OIDC connection, please read on.

• The URL https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration is invalid because it contains an invalid issuer (“issuer”:“https://login.microsoftonline.com/{tenantid}/v2.0”) (the {tenantid} is causing the Issue)

Using the Microsoft Common URL (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) is not something the OIDC connection supports, the {tenantid} within the issuer is indeed considered invalid.

Instead, a waad connection set with the OpenID Connection protocol (waad_protocol: “openid-connect”) should be used. From the manage dashboard UI, this is known as a Microsoft Azure AD connection.

https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2 provides a high level intro to the connection type and https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/choose-a-connection-type-for-azure-ad provides a detailed comparison of connection types.

Note that there is a feature flag that can be enabled by Okta’s Engineering Team that can be enabled to roll back the new schemas for discovery validations when creating OIDC connections. If this is something desired, please open a case with Okta Support referencing this article in the case description.

Reverting the mentioned feature flag is not something we do and does not fix this case, the issuer is still invalid with the old schemas. Please do not request this feature flag be disabled, it’s in the process of being removed.

To wrap up, when trying to connection to Azure/Entra, use the waad strategy instead. The OIDC connection does not support the Microsoft Common URL for discovery, even with legacy schemas.