Troubleshoot with OIDC debugger

  • Updated

To use the OpenID Connect Protocol (OIDC) debugger, complete the following steps:

  1. To ensure that the response from the OIDC provider goes to the debugger, add https://oidcdebugger.com/debug in the registered client application in your OIDC provider.
  2. Find the authorization_endpoint and token_endpoint of your OIDC provider. You can usually find it in <your issuer-uri>/.well-known/openid-configuration.
    • For example, the Azure Active Directory issuer-uri is https://login.microsoftonline.com/<tenant>/v2.0. Replace <tenant> with your real one. Then go to https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration. You should see the following:
      "authorization_endpoint": "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize"
      "token_endpoint": "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token"
    • If you are using Okta and the default authorization server, the OIDC metadata document URL is https://${yourOktaDomain}/.well-known/openid-configuration. If you are using a custom authorization server instead, the URL is https://${yourOktaDomain}/oauth2/${authorizationServerId}/.well-known/openid-configuration.
  3. Go to https://oidcdebugger.com, complete the following settings, and click Send Request.
    • Authorize URI – Enter the URI for the authorization_endpoint.
    • Redirect URI – Enter https://oidcdebugger.com/debug.
    • Client ID – Enter your registered client ID.
    • Scope – Set to OpenID.
    • Response Type – Set code as required response type.
    • Response Mode – Set fragment as the required response mode.
  4. You can submit a POST request using the information from the OIDC debugger success page. To do that, you need to first retrieve your token from your OIDC provider's token endpoint, then include that token in the authorization header of your POST request:
    POST <the token endpoint found above>
    Content-Type: application/x-www-form-urlencoded
    grant_type=authorization_code&
    code=<the code returned from the OIDC debugger>&
    client_id=<your client id>&
    client_secret=<your client secret>&
    redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug
  5. Finally, you should get a response from your OIDC provider like the following:
    {
      "token_type": "Bearer",
      "scope": "openid",
      "expires_in": 3599,
      "ext_expires_in": 3599,
      "access_token": "...",
      "id_token": "..."
    }
  6. Decode the returned id_token with https://jwt.io. You should see the token that Opti ID uses for authentication and authorization. For example:
     {
        "aud": "...",
        "iss": "https://login.microsoftonline.com/<tenant>/v2.0",
        "iat": 1626766745, "nbf": 1626766745,
        "exp": 1626770645,
        "aio": "...",
        "groups": [ "..." ],
        "name": "Sample User",
        "nonce": "e5y6mv1gmb",
        "oid": "...",
        "preferred_username": "sample@...",
        "rh": "...",
        "sub": "...",
        "tid": "...",
        "uti": "...",
        "ver": "2.0"
     }
  7. Verify that all the required claims (email, family_name, given_name) are present in the id_token.