Skip Navigation
Expand
Setting up Oauth using IDCS as the Identity Provider
Answer ID 12034   |   Last Review Date 05/03/2022

How do I resolve errors when trying to make my Oauth request?  

Environment:
 
Oracle B2C Service, All supported versions
 
Resolution:
 
If you are implementing Oauth for REST requests and using IDCS as the Identity Provider, below are some tips to get you started on your Oauth implementation.  
 
The Administering Oracle Identity Cloud Service documentation will help you get started with configuring IDCS.   The Use OAuth Authorization to Access the Connect REST API documentation will help you get started with configuring the Oracle B2C Service side.  
 
Common errors:
The Security Log on your B2C Service site will record errors related to oauth.  This log can be accessed in the agent desktop via the Configuration button > Site Configuration folder > Logs > Security Log button in the ribbon. 
 
1.  Description: JWT issuer is not trusted or not specified in the claims part of OAuth token: https://identity.oraclecloud.com/
 
If you see an error similar to the above description in the Security Log, you will need to ensure the Entity ID for the Oauth Identity provider in the Single Sign-On Configurations component is set to https://identity.oraclecloud.com/.  Also ensure that the Oauth Identity Provider is set to active. 
 
2. If the Entity ID is set to the correct value as noted above, check the certificates you have uploaded in the File Manager.  If the following URL displays two certificates for IDCS, you will need to ensure that both certificates are loaded into the File Manager and that the signing certificate is imported in the Oauth Identity Provider in the Single Sign-On Configurations component.  Your certificates for your specific IDCS tenant can be found using the following URL and replacing the 'tenant-base-url' portion of the URL below with your specific tenant (e.g. https://idcs-xxxxxxxxxxxxxxx.identity.oraclecloud.com/admin/v1/SigningCert/jwk):
 
https://tenant-base-url/admin/v1/SigningCert/jwk
 
The above URL can be launched in a browser or used via cURL command.  If you launch the URL in Firefox browser, you will see the JSON formatted information for ease of seeing the two certificates or two keys.  Other browsers you may have to add a JSON viewer add-on to see the formatted JSON .  
 
3. Description: Validating JWT params failed, Error Code: -18
 
If you see the above error, check your token as the '-18' means the JWT token has expired.  
 
4. Description:  JWT audience validation failed
 
Please see additional details on how to resolve this error in Answer: Error "JWT audience validation failed" when setting up OAUTH
 
Other items to keep in mind:  
Ensure the profile for the Oauth staff account on the B2C Service side has the SSO permission enabled on it.  This account needs to be set up on the IDCS side as well.  
 
Using a REST call via Oauth requires getting a valid bearer token from IDCS for use during authorization.  Use the following endpoint to get the bearer token (e.g. https://idcs-xxxxxxxxxxxxxxxx.identity.oraclecloud.com/oauth2/v1/token) via cURL or Postman:
 
https://tenant-base-url/oauth2/v1/token
 
Additional Information in regards to Microsoft Azure Tokens:
Azure token is missing JTI (JWT ID) claim, this must be included in the message or error -21 here will be generated.
-21 The unique identifier of OAuth token not specified