This article provides troubleshooting tips and guidance if you encounter problems while using OIDC.
Invalid client id
When you get the following error message after login, the OpenId:ClientId in the master.config file is incorrect or has changed on the identity provider’s side.
.png?sv=2022-11-02&spr=https&st=2025-06-20T22%3A32%3A14Z&se=2025-06-20T22%3A44%3A14Z&sr=c&sp=r&sig=CuDX1l71PRNDTLQYX22EQTv4i39rrVnQNokzydem5ok%3D "image(19).png")
In this case, the identity provider must provide the new client ID, which must be updated in the master.config file. It’s also possible that the application from the identity provider may take up to five minutes to become available after setup.
Invalid client
When you get the following error message after login, the OpenId:ClientSecret in the master.config file is incorrect or has changed on the identity provider’s side.
.png?sv=2022-11-02&spr=https&st=2025-06-20T22%3A32%3A14Z&se=2025-06-20T22%3A44%3A14Z&sr=c&sp=r&sig=CuDX1l71PRNDTLQYX22EQTv4i39rrVnQNokzydem5ok%3D "image(20).png")
The identity provider must provide the new client secret, which must be updated in the master.config file.
Invalid audience
If you get the following error message after login and the following errors in the log file, the value of Validation:ValidAudience in the master.config is incorrect or has changed on the identity provider’s side.
.png?sv=2022-11-02&spr=https&st=2025-06-20T22%3A32%3A14Z&se=2025-06-20T22%3A44%3A14Z&sr=c&sp=r&sig=CuDX1l71PRNDTLQYX22EQTv4i39rrVnQNokzydem5ok%3D "image(21).png")
17:05:05.389 [ERR] Services.OidcService[][800195f5-0002-d000-b63f-84710c7967bb]: Token validation failed! Error: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateTokenPayload(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters)
17:05:05.406 [ERR] Controllers.OidcController[][800195f5-0002-d000-b63f-84710c7967bb]: Authentication failed. Message: Token validation failed!
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Token validation failed!
at Grassfish.Server.GenericOidcLogin.Services.OidcService.RetrieveClaimsIdentityAsync(String code, String state, String sessionState, String redirectUri, String cookieState, String cookieNonce, CancellationToken ct) in /opt/atlassian/pipelines/agent/build/src/GenericOidcLogin/Services/OidcService.cs:line 152
at Grassfish.Server.GenericOidcLogin.Controllers.OidcController.Callback(String code, String state, String sessionState, String error, String errorDescription, CancellationToken ct) in /opt/atlassian/pipelines/agent/build/src/GenericOidcLogin/Controllers/OidcController.cs:line 123In this case, the identity provider must provide the new audience value which must be updated in the master.config file. This is usually the same value as the client ID.
Invalid configuration URL
If you get the following error message after login and the following errors in the log file, the value of OpenId:ConfigurationEndpoint in the master.config file is incorrect or has changed on the identity provider’s side.
.png?sv=2022-11-02&spr=https&st=2025-06-20T22%3A32%3A14Z&se=2025-06-20T22%3A44%3A14Z&sr=c&sp=r&sig=CuDX1l71PRNDTLQYX22EQTv4i39rrVnQNokzydem5ok%3D "image(22).png")
17:09:42.094 [ERR] Controllers.OidcController[][80013925-0005-b600-b63f-84710c7967bb]: Login failed!
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Grassfish.Server.GenericOidcLogin.Services.OidcService.BuildAuthorizationEndpointUrlAsync(String redirectUri, CancellationToken ct) in /opt/atlassian/pipelines/agent/build/src/GenericOidcLogin/Services/OidcService.cs:line 66
at Grassfish.Server.GenericOidcLogin.Controllers.OidcController.Init(String application, LoginRequestParameters parameters, CancellationToken ct) in /opt/atlassian/pipelines/agent/build/src/GenericOidcLogin/Controllers/OidcController.cs:line 70In this case, the identity provider must provide the new configuration endpoint value which must be updated in the master.config file. Example: https://openidprovider/.well-known/openid-configuration