Collapse
Submit a Service Request
Contact Information for Technical Support
My Service Notifications
Setting up OAuth using IDCS as the Identity Provider
Answer ID 12034 |
Last Review Date 10/13/2023
How do I resolve errors when trying to make my OAuth request?
Environment:
Oracle B2C Service
All supported versions
Resolution:
If you are implementing OAuth for REST requests and using IDCS as the Identity Provider, below are some tips to get you started on your OAuth implementation.
The Administering Oracle Identity Cloud Service documentation will help you get started with configuring IDCS. The Use OAuth Authorization to Access the Connect REST API documentation will help you get started with configuring the Oracle B2C Service side.
Common errors:
The Security Log on your Oracle B2C Service site will record errors related to OAuth. This log can be accessed in the agent desktop via the Configuration button > Site Configuration folder > Logs > Security Log button in the ribbon.
1. Description: JWT issuer is not trusted or not specified in the claims part of OAuth token: https://identity.oraclecloud.com/
If you see an error similar to the above description in the Security Log, you will need to ensure the Entity ID for the OAuth Identity provider in the Single Sign-On Configurations component is set to https://identity.oraclecloud.com/. Also ensure that the OAuth Identity Provider is set to active.
2. If the Entity ID is set to the correct value as noted above, check the certificates you have uploaded in the File Manager. If the following URL displays two certificates for IDCS, you will need to ensure that both certificates are loaded into the File Manager and that the signing certificate is imported in the OAuth Identity Provider in the Single Sign-On Configurations component. Your certificates for your specific IDCS tenant can be found using the following URL and replacing the 'tenant-base-url' portion of the URL below with your specific tenant (e.g. https://idcs-xxxxxxxxxxxxxxx.identity.oraclecloud.com/admin/v1/SigningCert/jwk):
https://tenant-base-url/admin/v1/SigningCert/jwk
The above URL can be launched in a browser or used via cURL command. If you launch the URL in Firefox browser, you will see the JSON formatted information for ease of seeing the two certificates or two keys. Other browsers you may have to add a JSON viewer add-on to see the formatted JSON .
3. Description: JWT signature verification failed, error code: -12
Check that your OAuth bearer token is formatted correctly. This token cannot have extra line breaks in it.
4. Description: Validating JWT params failed, Error Code: -18
If you see the above error, check your token as the '-18' means the JWT token has expired.
5. Description: JWT audience validation failed
Please see additional details on how to resolve this error in Answer: Error "JWT audience validation failed" when setting up OAUTH
6. Description: Validating JWT params failed, Error Code: -21
If you see the above error, your token is missing the jti (JWT ID) claim. The jti claim will need to be added to your bearer token.
7. Description: No matches found for the subject value 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' in the accounts table and Description: Validating JWT params failed, Error Code: -24
If you see the above errors, check that you have a staff account on your Oracle B2C Service site that has a login that matches the client id you received from IDCS. The login of the OAuth staff account must match the IDCS client ID exactly.
Other items to keep in mind:
Ensure the profile for the OAuth staff account on the Oracle B2C Service side has the SSO permission enabled on it. This account needs to be set up on the IDCS side as well.
Using a REST call via OAuth requires getting a valid bearer token from IDCS for use during authorization. Use the following endpoint to get the bearer token (e.g. https://idcs-xxxxxxxxxxxxxxxx.identity.oraclecloud.com/oauth2/v1/token) via cURL or Postman:
https://tenant-base-url/oauth2/v1/token