Creating an OIDC Connection Fails with "options.issuer is required" Error

Overview

When trying to create OIDC connections via CLI or Dashboard, different discovery URLs throw the same error:

Bad Request: “options.issuer” is required

The discovery URL returns the “issuer” field.

Cause

Solution

If there is a working discovery endpoint, create this connection with the Management API POST /api/v2/connections.

The workaround is to paste the entire response payload from the IDP’s discovery endpoint into options.oidc_metadata and do not send options.discovery_url.

“options”: {
“issuer”:“”
“type”:“front_channel”,
“client_id”:“”,
“jwks_uri”:“,
“authorization_endpoint”:”",
“oidc_metadata”:{RESPONSE OBJECT FROM THE DISCOVERY ENDPOINT}
},

Note that there is a feature flag that can be enabled by Okta’s Engineering Team that can be enabled to roll back the new schemas for discovery validations when creating OIDC connections. If this is something desired, please open a case with Okta Support referencing this article in the case description.

1 Like