Solved

I am receiving an "invalid_client" error when using OIDC for SSO

  • 9 April 2024
  • 6 replies
  • 65 views
byrnereese
Rank

I tried to setup OIDC SSO option for the new RingCentral community. I believe I have set everything up correctly… but I am receiving an “invalid_client” error when I attempt to test the authentication setup. 

One field I am unfamiliar with is “Issuer.” I have that set to “https://ringcentral.com,” but don’t know if that is correct. The client ID and secret should be valid. I have double checked to make sure those were entered correctly. 

Any ideas?

icon

Best answer by byrnereese 12 April 2024, 16:59

View original

6 replies

R
Rank

Hi - Not sure about the cause for the error, however “Issuer” is typically defined on your Identity Provider (IDP). For example if integrating with OKTA as your IDP then in most OKTA deployments the default value for issuer is https://yourdomain.okta.com 

 

hope this helps!

byrnereese
Rank

I have setup OIDC multiple times with other vendors, and this is not a field I have ever had to enter before. So I am unsure what to put there, as we are not using Okta in this OIDC context. 

byrnereese
Rank

I must be honest though. I suspect another cause. “Invalid client” has a specific meaning. Can you help me track down what are possible root causes for this specific error?

Kenneth R
Rank
Userlevel 5
Badge +4

Hi @byrnereese - I quickly checked with our engineers and they suggested the issue likely is with your SSO app provider, where that URL should be coming from, rather than it being your own domain (as suggested by @ruc above already).  But as much as I don’t like to post this a response in our community, this is a case where I recommend a ticket with our Support team so they can work through it and guide you directly. 

olimarrio
Rank
Userlevel 4
Badge +3

Hi @byrnereese 👋,

I just private messaged you what I believe could be the solution here. Let me know if it solves it!

byrnereese
Rank

I wanted to follow up with regards to the solution. We investigated more closely, and we noticed Gainsight did not transmit the secret is the call to the token endpoint. I am not sure if this is to spec TBH, as I have setup OIDC before and this didn’t happen with other providers, but the fix on our end was relatively simple: adjust the auth protocol to not expect the secret to be returned. 

Now everything works. 

Reply


Terms & ConditionsCookie settings