Problem statement
We have a custom social connection that uses Indeed as IdP. The login fails with 502s / 503s / 504s, etc. Here is the error.
“failed to obtain the access token”
Troubleshooting
The custom social connection implements the OAuth2 Authorization Code Grant flow between Auth0 and the social IdP (Indeed in this specific case). After the user login via social IdP successfully, the social IdP sends the code and state back to Auth0 on the /login/callback endpoint. This can be confirmed from a HAR file:
-
Auth0 will call the token endpoint of the social IdP to use the authorization code to request an access token, but it failed here, which is why the “InternalOAuthError: Failed to obtain access token” error returns.
-
The issue could reside on the Auth0 side (e.g. DNS issue within Auth0) or the social IdP side. To confirm the cause of the issue, test the social IdP’s token endpoint first.
We can use the curl command to send requests to the token endpoint. Here is the result.
With data -u before and after the curl command, we record the timestamp of the start and end of the request.
As shown in the screenshot above, the request started at 2023-03-29 00:52:32 UTC and ended at 2023-03-29 00:54:02 UTC, the “invalid_client” error is expected (because it’s just an example request), but it took 90 seconds to receive the response.
90s is way too long for a token endpoint to respond, no matter success or failed response. This test rules out the possibility of the issue residing on the Auth0 side.
Based on the above analysis, the issue must reside on the social IdP (Indeed) side.
Cause
The token endpoint of social IdP is taking too long to respond.
Solution
Contact the social IdP to fix the issue