Skip to main content
Solved

I am receiving an "invalid_client" error when using OIDC for SSO

byrnereese

I tried to setup OIDC SSO option for the new RingCentral community. I believe I have set everything up correctly… but I am receiving an “invalid_client” error when I attempt to test the authentication setup. 

One field I am unfamiliar with is “Issuer.” I have that set to “https://ringcentral.com,” but don’t know if that is correct. The client ID and secret should be valid. I have double checked to make sure those were entered correctly. 

Any ideas?

Best answer by byrnereese

I wanted to follow up with regards to the solution. We investigated more closely, and we noticed Gainsight did not transmit the secret is the call to the token endpoint. I am not sure if this is to spec TBH, as I have setup OIDC before and this didn’t happen with other providers, but the fix on our end was relatively simple: adjust the auth protocol to not expect the secret to be returned. 

Now everything works. 

View original
Did you find this topic helpful?

6 replies

R
  • ruc
  • Contributor ⭐️⭐️⭐️
  • 13 replies
  • April 11, 2024

Hi - Not sure about the cause for the error, however “Issuer” is typically defined on your Identity Provider (IDP). For example if integrating with OKTA as your IDP then in most OKTA deployments the default value for issuer is https://yourdomain.okta.com 

 

hope this helps!

Kenneth R
1 person likes this
  • Kenneth R
    Kenneth R
byrnereese
  • byrnereese
  • Author
  • Helper ⭐️
  • 6 replies
  • April 11, 2024

I have setup OIDC multiple times with other vendors, and this is not a field I have ever had to enter before. So I am unsure what to put there, as we are not using Okta in this OIDC context. 

byrnereese
  • byrnereese
  • Author
  • Helper ⭐️
  • 6 replies
  • April 11, 2024

I must be honest though. I suspect another cause. “Invalid client” has a specific meaning. Can you help me track down what are possible root causes for this specific error?

Kenneth R
Forum|alt.badge.img+5
  • Kenneth R
  • Gainsight Community Manager
  • 424 replies
  • April 11, 2024

Hi @byrnereese - I quickly checked with our engineers and they suggested the issue likely is with your SSO app provider, where that URL should be coming from, rather than it being your own domain (as suggested by @ruc above already).  But as much as I don’t like to post this a response in our community, this is a case where I recommend a ticket with our Support team so they can work through it and guide you directly. 

olimarrio
Forum|alt.badge.img+4
  • olimarrio
  • Gainsight Employee ⭐️
  • 402 replies
  • April 11, 2024

Hi @byrnereese 👋,

I just private messaged you what I believe could be the solution here. Let me know if it solves it!

Kenneth R
revathimenon
2 people like this
  • Kenneth R
    Kenneth R
  • revathimenon
    revathimenon
byrnereese
  • byrnereese
  • Author
  • Helper ⭐️
  • 6 replies
  • Answer
  • April 12, 2024

I wanted to follow up with regards to the solution. We investigated more closely, and we noticed Gainsight did not transmit the secret is the call to the token endpoint. I am not sure if this is to spec TBH, as I have setup OIDC before and this didn’t happen with other providers, but the fix on our end was relatively simple: adjust the auth protocol to not expect the secret to be returned. 

Now everything works. 

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings