Problem statement
Login attempts with a new Custom Social Connection fail with 502 / 503 / 504 and similar status code errors or an “InternalOAuthError: Failed to obtain access token” error.
Symptoms
We get the following error:
"failed to obtain the access token"
Troubleshooting
The custom social connection implements the OAuth2 Authorization Code Grant flow between Auth0 and the social IdP. After the user login via social IdP successfully, the social IdP sends the code and state back to Auth0 on the /login/callback endpoint. This can be confirmed from reviewing the network requests in a HAR file:
Auth0 will call the token endpoint of the social IdP to use the authorization code to request an access token, but it fails here, which is why the “InternalOAuthError: Failed to obtain access token” error returns.
Cause
The issue could reside on the Auth0 side (e.g. DNS issue within Auth0) or the Identity Provider (IdP) side. To confirm the cause of the issue, test the social IdP’s token endpoint first.
Use a curl command to send requests to the IdP’s token endpoint. Here is an example result:
With data -u before and after the curl command, a timestamp will be recorded at the start and end of the request.
As shown in the screenshot above, the request started at 2023-03-29 00:52:32 UTC and ended at 2023-03-29 00:54:02 UTC; the “invalid_client” error is expected (because it’s just an example request), but it took 90 seconds to receive the response. This is too long for a token endpoint to respond, regardless of whether it is a successful or failed response. This test rules out the possibility of the issue residing on the Auth0 side.
Based on the above analysis, the issue must reside on the social IdP side.
Solution
Contact the social IdP to fix the long response time.