"No valid OpenID Connect metadata was found at the provided url" due to SSL error

Problem statement

We see the error “No valid OpenID Connect metadata was found at the provided url” when entering the Issuer URL for their OIDC enterprise connection.

The network traffic in the dashboard shows a request to /api/oidc/lookup with this error message:

`discovery_url: "https://{IDP_DOMAIN}/.well-known/openid-configuration"`

`found: false`

`lastError: "Error: write EPROTO C0A79D9C097F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../deps/openssl/openssl/ssl/statem/extensions.c:922:\n"`

`message: "No valid OpenID Connect metadata was found at the provided url"`

Cause

  • The issuer URL request is failing because the IdP does not seem to support secure renegotiation. Auth0 has recently upgraded our repos responsible for making this request to Node v18 (since the previous versions were approaching EOL later in 2023). As part of the upgrade, the OpenSSL lib was upgraded to 3.0 and the option SSL_OP_LEGACY_SERVER_CONNECT in the OpenSSL library went from enabled by default in version 1.1.1 to disabled by default in OpenSSL 3.0 (this is necessary for security as it addresses a vulnerability RFC 5746 ).

  • Another possibility is that the for the /.well-known/openid-configuration request, the API is returning a response with a header that has some value with a character that was not allowed.

Solution

The IdP would need to upgrade its endpoint to be compliant with the security spec (Secure Renegotiation).