OIDC discovery error

I am trying to setup OIDC with OKTA.

When committing the configuration, I hit into the following error. What could possibly cause this?

I did a curl to the discovery URL and able to receive response from it.

“issuer”:“https://somecompany.okta.com”,
“authorization_endpoint”:“https://somecompany.okta.com/oauth2/v1/authorize”,
“token_endpoint”:“https://somecompany.okta.com/oauth2/v1/token”,
“userinfo_endpoint”:“https://somecompany.okta.com/oauth2/v1/userinfo”,
“registration_endpoint”:“https://somecompany.okta.com/oauth2/v1/clients/0oakpm6qr3B8GXth34x6”,
“jwks_uri”:“https://somecompany.okta.com/oauth2/v1/keys?client_id=0oakpm6qr3B8GXth34x6”,
“response_types_supported”:[
“code”,
“id_token”,
“code id_token”,
“code token”,
“id_token token”,
“code id_token token”
],
“response_modes_supported”:[
“query”,
“fragment”,
“form_post”,
“okta_post_message”
],
“grant_types_supported”:[
“authorization_code”,
“implicit”,
“refresh_token”
],
“subject_types_supported”:[
“public”
],
“id_token_signing_alg_values_supported”:[
“RS256”
],
“scopes_supported”:[
“openid”,
“email”,
“profile”,
“address”,
“phone”,
“offline_access”
],
“token_endpoint_auth_methods_supported”:[
“client_secret_basic”
],
“claims_supported”:[
“iss”,
“ver”,
“sub”,
“aud”,
“iat”,
“exp”,
“jti”,
“auth_time”,
“amr”,
“idp”,
“nonce”,
“name”,
“nickname”,
“preferred_username”,
“given_name”,
“middle_name”,
“family_name”,
“email”,
“email_verified”,
“profile”,
“zoneinfo”,
“locale”,
“address”,
“phone_number”,
“picture”,
“website”,
“gender”,
“birthdate”,
“updated_at”,
“at_hash”,
“c_hash”
],
“code_challenge_methods_supported”:[
“S256”
],
“introspection_endpoint”:“https://somecompany.okta.com/oauth2/v1/introspect”,
“introspection_endpoint_auth_methods_supported”:[
“client_secret_basic”
],
“revocation_endpoint”:“https://somecompany.okta.com/oauth2/v1/revoke”,
“revocation_endpoint_auth_methods_supported”:[
“client_secret_basic”
],
“end_session_endpoint”:“https://somecompany.okta.com/oauth2/v1/logout”,
“request_parameter_supported”:true,
“request_object_signing_alg_values_supported”:[
“HS256”,
“HS384”,
“HS512”
]
}

Hello,

It looks like Vault does not have connection to the https://somecompany.okta.com/.well-known/openid-configuration, i assume this link is set as oidc_discovery_url parameter in OIDC configuration.
Can you verify the connection from the instance where Vault is running on to your oidc_discovery_url with curl for example. If the connection can be established to the provider, you should get a JSON in return.

Martin

Hello Martin,

Thanks for the reply. The attached json output was the curl response from the okta and executed from vault itself.

I suspect that something was not configured in okta side. When I paste the URL to browser, I got the following error code

{“errorCode”:“E0000022”,“errorSummary”:“The endpoint does not support the provided HTTP method”,“errorLink”:“E0000022”,“errorId”:“oaeu-ftiv-DRuK45ElXHGzO7Q”,“errorCauses”:}

I tried some common OIDC Discovery URL and it does have a sign-in screen

Issue resolved. The firewall is blocking some of the return traffic from okta service.

okta have some test script for the authentication flow to troubleshoot integration issue.