Overview
When trying to create OIDC connections via CLI or Dashboard, different discovery URLs throw the same error:
Bad Request: “options.issuer” is required
The discovery URL returns the “issuer” field.
Cause
- The URL https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration is invalid because it contains an invalid issuer (“issuer”:“https://login.microsoftonline.com/{tenantid}/v2.0”) (the {tenantid} is causing the Issue)
- Use the well-known URL with the specific Azure tenant ID, e.g., https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0/.well-known/openid-configuration.
- Refer to the Microsoft article on OpenID configuration document URI.
- The URL https://accounts.google.com/.well-known/openid-configuration only works if options.type: “back_channel”, as this endpoint does not advertise response_modes_supported.
Solution
If there is a working discovery endpoint, create this connection with the Management API POST /api/v2/connections.
The workaround is to paste the entire response payload from the IDP’s discovery endpoint into options.oidc_metadata and do not send options.discovery_url.
“options”: {
“issuer”:“”
“type”:“front_channel”,
“client_id”:“”,
“jwks_uri”:“,
“authorization_endpoint”:”",
“oidc_metadata”:{RESPONSE OBJECT FROM THE DISCOVERY ENDPOINT}
},
Note that there is a feature flag that can be enabled by Okta’s Engineering Team that can be enabled to roll back the new schemas for discovery validations when creating OIDC connections. If this is something desired, please open a case with Okta Support referencing this article in the case description.