Skip to main content
Oath Inc.

4 Troubleshooting OAuth2/OpenID Connect

Invalid request error

You will see this error if any of the access_token request data is incorrect.

  • Make sure all parameters are spelled correctly, (e.g., scope, grant_type, client_assertion, realm, redirect_uri, client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer, etc.).
  • If using JWT, make sure the algorithm value is explicitly set as HS256 etc. Some libraries doesn't send algorithm value if default value is used.

If you see the following error, then set the algorithm value to fix it. (Check under OAuth2 API -> Generating Json Web Token (JWT) for a code sample.)

{
"error_description": "No enum constant org.forgerock.json.jose.jws.JwsAlgorithm.none"
"error": "invalid_request"
}

If you take the first part of the JWT (header) and do base64 decode, then you will see which algorithm value is missing.

{"typ":"JWT","alg":"none"}

Sample fix (using jose4j):

JsonWebSignature jws = new JsonWebSignature();
jws.setPayload(claims.toJson());
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256);

After fixing, if you take the first part of JWT header and base64 decode, then you'll see this:

{"typ":"JWT","alg”:"HS256"}

If you see the following error for an introspect call, then make sure you are passing the Authorization Bearer header.

{
 "error_description": "unable to process request",
 "error": "invalid_request"
}

Invalid client errors

You can get an invalid client errors if:

  • the JWT assertion is not correct (expired, invalid, wrong audience, etc.)
  • the client id is not found
  • the client_id or secret are invalid

If you see the following JWT expired error:

  • Make sure jwt claim values "exp" and "iat" are expressed in seconds (EPOC time).
  • Make sure that 'exp' is in the future but is less than server side configured time (e.g., 24 hrs).
  • Make sure client_secret used to sign JWS is same as the one received from Identity team or ONE Central.
{"error_description":"JWT is has expired or is not valid","error":"invalid_client"}

Notes:

  • "exp" and "iat" values should be numeric. Do not set them as strings.
  • "exp" value should be less than 24 hrs. Preferable time is currentTime + 600 (i.e., 10 minutes).
  • Do not use currentTime + (24 * 60 * 60). You may get a "JWT has expired or is not valid" error.

If you see the following audience error, then make sure audience value is correct:

{
 "error_description": "Audience validation failed",
 "error": "invalid_client"
}

then you need to fix the 'aud' value in the claim. Value for 'aud' should be:

For UAT:

https://id-uat2.corp.aol.com/identity/oauth2/access_token?realm=aolcorporate/aolexternals

For Production:

https://id.corp.aol.com/identity/oauth2/access_token?realm=aolcorporate/aolexternals

Realm value should be "aolcorporate/aolexternals" (both UAT and Prod)

Scope value should be “one” (both UAT and Prod)

If you see the following error, then check the 'sub' value in claim and also the secret used to sign JWS(client_secret). They should match the credentials you received from the Identity Team or ONE Central team. Also, make sure you are using correct realm value you received from Identity team or ONE Central.

{
 "error_description": "Client authentication failed",
 "error": "invalid_client"
}

Things to check

  1. Make sure realm value is correct
  2. Make sure client_id, client_secret used in JWT are correct
  3. Make sure client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer (check for typos in value)

Invalid scopes

Check to make sure what value you are passing for scope and what value is configured for your client credentials. If the passed scope value is not configured for that client_id then you will see below error. Check for any typos too.

{
 "error_description": "Unknown/invalid scope(s): [introspects]",
 "error": "invalid_scope"
}

Scope should be “one”.

Unsupported grant type

If grant_type value is not one of the allowed list (client_credentials|password|refresh_token|authorization_code), then you will see the following error. Check for any typos in grant_type value.

{
 "error_description": "Grant type is not supported: client_credential",
 "error": "unsupported_grant_type"
}

Invalid grant

If you are exchanging code for access_token and see this error, then the code provided might be wrong or expired.

  • Make sure it is generated for same client_id, realm combinations.
  • Make sure you didn't alter the code you received in authorize redirect call.
{
 "error_description": "The provided access grant is invalid, expired, or revoked.",
 "error": "invalid_grant"
}

If you are getting access_token using refresh_token and see below error then either refresh_token value is wrong or it has expired.

  • Check for any typos or truncations.
  • Make sure refresh_token used is for same client_id, realm and scope combinations.
{
 "error_description": "grant is invalid",
 "error": "invalid_grant"
}

Invalid token

If you are making an introspect or userinfo call and see the following error, then make sure you are passing the authorization header bearer token value correctly:

  • Make sure it has no typos and no truncations.
  • Make sure it is generated for same realm.

If it still doesn't work then it might have expired or revoked. Try to get another fresh bearer token.

{ 
 "error_description": "The access token provided is expired, revoked, malformed, or invalid for other
reasons.",
 "error": "invalid_token"
}

Unauthorized client

If you are making a userinfo call and see the following error, then the bearer token used might be generated for a client that is not in the same realm. Make sure realm value is correct. Check for any typos in the realm value.

{
 "error_description": "Not able to get client from OpenAM",
 "error": "unauthorized_client"
} 

Insufficient scope

If you are making introspect call and see this error then the Bearer token might not have generated for introspect scope. Make sure the access_token you generated to use as Bearer token has introspect scope.

{
 "error_description": "request is not authorized for introspection",
 "error": "insufficient_scope"
}

Server error

If data is not in expected format or flow not supported or some other reason then you may see this error. For access_token api check client_assertion has right JWT value.

{
 "error_description": "Internal Server Error",
 "error": "server_error"
}

Things to check

  1. Make sure all requested parameters are passed.
  2. No typos in parameters. All parameters are in lowercase.
  3. Check format of values like JWT(includes header, claims, signature). No truncation etc
  4. If grant_type is client_credentials then client_assertion_type and client_assertion are must
  5. If grant_type is authorization_code then code is must
  6. If grant_type is refresh_token then refresh_token is must.
  7. Make sure "exp" and "iat" in JWT claims are numeric values. Do not set them as strings.
  8. If you are making userinfo call and see this error then make sure api endpoint is correct and also you are using correct realm value.