Skip to content

Token exchange always returns “403 Forbidden” despite correct client_secret_basic and redirect URI #580

New issue
New issue
Open
Open
Token exchange always returns “403 Forbidden” despite correct client_secret_basic and redirect URI#580
Labels
bug
@angiehxliang

Description

@angiehxliang
angiehxliang
opened on Oct 16, 2025

Describe the bug
After successful authorization with our OpenID provider (Clareity IAM), the plugin fails during the token exchange step and returns:

To Reproduce
Steps to reproduce the behavior:

Go to WordPress Admin → Settings → OpenID Connect Client

Enter the following configuration:

Client ID: oidc-nlar-nlarresource

Client Secret: (valid secret from provider)

Authorization Endpoint: https://nlar.clareityiam.net/idp/profile/oidc/authorization

Token Endpoint: https://nlar.clareityiam.net/idp/profile/oidc/token

User Info Endpoint: https://nlar.clareityiam.net/idp/profile/oidc/userinfo

Scope: openid email

Redirect URI: https://nlarresource.ca/openid-connect-authorize

Token Endpoint Auth Method: client_secret_basic

Save settings.

From the WordPress login page, click “Login with OpenID Connect.”

Sign in successfully at Clareity IAM.

Observe redirect to your WordPress site returning:
/openid-connect-authorize?code=&state=...

and the WordPress login screen showing:
ERROR (forbidden): forbidden

Screenshots

Image

Expected behavior
After successful authorization at the provider, the plugin should receive a valid authorization code and successfully exchange it for tokens at the /token endpoint, logging the user into WordPress.

Instead, the provider returns 403 Forbidden, and no authorization code is issued, even though the same request works correctly in Postman using client_secret_basic.
Isolating the problem (mark completed items with an [x]):

  • I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
  • This bug happens with a default WordPress theme active.
  • I can reproduce this bug consistently using the steps above.

WordPress Environment
Website URL: https://nlarresource.ca

PHP Version: 8.2

WordPress Version: 6.6.2 (GoDaddy Managed)

Plugin Version: daggerhart-openid-connect-generic 3.11.2

Identity Provider: Clareity IAM (https://nlar.clareityiam.net/
)

Relevant Plugin Settings:
Login Type: Auto Login - SSP
Scope: openid email
Token Endpoint Auth Method: client_secret_basic
Identify with user claim: email
Redirect URI: https://nlarresource.ca/openid-connect-authorize

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions