ERROR: Invalid token response

[joaocg]

Sorry for my ignorance!
I'm getting the error message below:

ERROR: Invalid token response

Is there any specific settings I need to make in the plugin?
Or what do I have to do on openid?

[tolstenko]

I am facing this same problem. Did you solve it?

[timhampton]

Me too!

[mvarblow]

The response from your identity provider is missing the id_token, which is required by the Open ID Connect specification. Your identity provider does not seem to implement Open ID Connect?

https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse

[mrm1st3r]

I had the same problem and it helped to add "openid" as a scope in the plugins settings.
I'm using the plugin in combination with Keycloak, if that matters.

[thedulus]

I have the same issue, and adding 'openid' to the plugin's scope did not fix it. Is there anything else that I should consider? (I've followed this guide to setup keycloak and the openid-connect plugin)
https://westergaard.eu/2018/05/sso-lets-talk-about-single-sign-on-for-wordpress-and-gitlab-using-keycloak-redhat-sso-featuring-special-guest-duo-security-for-2fa/

[joaocg]

Did anyone find a solution?

[CharlyRipp]

@joaocg Adding openid to the scope worked for me. Keycloak 2+ no longer sends the id_token unless the openid scope is specified.
It did give me the same error when attempting to login from the screen it drops you on when you get the error -- it worked once I left and went through a normal login flow.

Well, when I say worked, got further -- the defaults for Display Name Formatting didn't match up with what Keycloak sends, leading me to another issue - #91 to which I got working. Now all is good!

[gnompsky]

With regards to the openid scope, this is a required scope in order to use Open ID Connect. If you are intending to use Open ID Connect, you MUST have this scope in your list. It may not solve all problems above but should be included regardless.

[cescarsega]

Can anyone help me with the this? I can't seem to get passed the code not valid error after logging in with keycloak.

[aupr]

I had the same problem and it helped to add "openid" as a scope in the plugins settings.
I'm using the plugin in combination with Keycloak, if that matters.

this approach worked for me. After saved the settings when I tried for the first time it failed but it started to work from second request :)

[lucasmkrolow]

I'm facing the same issue.
I'm trying to use Nextcloud as login server, it worked using the MiniOrange Plugin, but that plugin is giving me truble with another plugin.
I already disabled refresh token, but no success, already tried using openid scope, but Nextcloud doesn't support scope (could this be the problem?)
I really need this to work, could anyone give me some hint?

[timnolte]

@lucasmkrolow does Next loud actually support the OpenID Connect standard. Mini Orange also provides solutions for SAML which is not the same thing as OpenID Connect. Can you provide a list of the configuration parameters that are available in NextCloud and what OpenID Connect configuration documentation for NextCloud that you are using?

[lucasmkrolow]

Nextcloud uses OAuth 2.0 (that might be the problem).
When I create a client there (with Name and Redirect URI) they give me the Client ID and the Secret Key, which I enter in the config page, along with the following URLs:
Authorization endpoint: https://cloud.example.org/apps/oauth2/authorize
Token endpoint: https://cloud.example.org/apps/oauth2/api/v1/token
User info endpoint: https://cloud.modularat.com.br/ocs/v2.php/cloud/user?format=json
I just don't have a Logout URL.
For Identity key I use: ocs.data.id (the same as MO plugin used)
Also I'm not pretty sure about what to enter in Nickname Key, Email Formatting and Display Name Formatting.

[isikhi]

Just add openid to scope
Auth0 OpenId Connect Scope Reference Page
As you can see you should add openid as a scope
openid (required; to indicate that the application intends to use OIDC to verify the user's identity)