invalid_argument msg
I have an existing application that works using Zitadel as the IdP. I am integrating a third party using their Okta and generic OIDC for authentication.
Once enabled I have the sign in button using Okta as IDP and that flow takes the client to their Okta page. They are able to provide login get to the callback of my Zitadel instance but get the attached error message. We have tried changing settings on both side but as a managed client I have no idea what is wrong or even how to debug this issue. Any ideas or help on how I can trouble shoot would be most appreciated. Thank you
Once enabled I have the sign in button using Okta as IDP and that flow takes the client to their Okta page. They are able to provide login get to the callback of my Zitadel instance but get the attached error message. We have tried changing settings on both side but as a managed client I have no idea what is wrong or even how to debug this issue. Any ideas or help on how I can trouble shoot would be most appreciated. Thank you
4 Replies
Hi @Kevin Barnard, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer to your specific "invalid_argument" error, here are some relevant sources:
1. Generic OIDC identity provider sign-up/sign-in flow generates an "Invalid signature" error (1) : This discusses a similar issue where users experienced signature validation errors when using generic OIDC providers, with potential solutions involving JWKS endpoint compliance.
2. Configure OIDC prompt and login_hint query parameter for external IdPs (2) : This addresses compatibility issues with providers like Ping that don't implement certain OIDC parameters correctly, which could cause similar integration problems.
To learn more, see the sources I considered:
[1] Generic OIDC identity provider sign-up/sign-in flow generates an "Invalid signature" error
[2] Configure OIDC prompt and login_hint query parameter for external IdPs
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
hey @Kevin Barnard thanks for your question, I will look into it and get back to you, are you self hosted?
Managed in cloud
hey @Kevin Barnard can you pls check your network tab when you initiate login again?(private window), pls check the HTTP response body to learn the real reason. In 9 of 10 cases the aud or iss in the ID token does not match what you typed in the zitadel console.