Explanation | ID token validation failed because the issuer specified in the OpenID Connect client (relying party or RP) configuration and the issuer in the token do not match. |
Action | Make sure that the [issuerIdentifier] attribute specified in the OpenID Connect client (RP) configuration matches with the issuer for the OpenID Connect provider (OP) being used. |
Explanation | An ID token cannot be created because it could not be signed. The reason for the error is shown after the message. |
Action | See the user action for the message that appears after this error. |
Explanation | An ID token cannot be created because it could not be signed. The reason for the error is shown after the message. |
Action | If using asymmetric signature, check that a valid private key is used to sign the token. For example, check whether a key is expired. Check the keyStore element referenced by the default SSL in server.xml to find information about the key store file that contains the private key. Also, see the user action for the message that appears after this error. |
Explanation | The audience in the ID token should match the client id. In this case, the (aud) audience in the ID token did not match the client id, so the ID token validation failed. |
Action | Make sure that [clientId] attribute specified in OpenID Connect client (relying party or RP) configuration is correct. The value is case sensitive. |
Explanation | The authorized party in the ID token should match the client id. In this case, the (azp) authorized party in the ID token did not match the client id, so the ID token validation failed. |
Action | Make sure that the [clientId] attribute specified in the OpenID Connect client (relying party or RP) configuration is correct. The value is case sensitive. |
Explanation | An ID token cannot be validated because the signature could not be verified. The reason for the error is shown after the message. |
Action | See the user action for the message that appears after this error. |
Explanation | An ID token cannot be validated because the signature could not be verified. The reason for the error is shown after the message. |
Action | If using asymmetric signature, ensure that the public key in the certificate can be used for digital signature purposes. Check the keyStore element referenced by the default SSL configuration in server.xml to find information about the key store that contains the key. Also, see the user action for the message that appears after this error. |
Explanation | An ID token cannot be validated because the current time shown is not between the token issue and expiration times. |
Action | Make sure that OpenID Connect client (relying party or RP) and OpenID Connect provider (OP) system clocks are in sync (if they are on two systems). |
Explanation | The at_hash in the ID Token enables OpenID Connect clients to prevent token substitution attacks. The at_hash value should match with the value of the hash of the access token received by the OpenID Connect client. |
Action | Ensure that the communication between the OpenID Connect client (relying party or RP) and OpenID Connect provider (OP) is safe to avoid the tampering of the access token received by the RP. |
Explanation | An ID token cannot be validated because the token was not signed. OpenID Connect client (relying party or RP) is expecting a signed token. |
Action | Ensure that the OpenID Connect provider enables the token to be signed. |
Explanation | An ID token cannot be validated because OpenID Connect client (relying party or RP) and OpenID Connect provider (OP) are using different signature algorithms to sign/verify the token. |
Action | Ensure that the RP specified signatureAlgorithm matches the OP signature algorithm. |