Troubleshooting
Below are some common errors which may occur when an OAuth login flow fails, the conditions that may cause those errors, and possible solutions.
General
The following error conditions are generally applicable across different OAuth integration types or are emitted by the Connect Server API.
No refresh token found in response. Refresh tokens are required to update access tokens when they expire. Are you missing the offline_access scope in the OAuth integration configuration?
Cause: Connect did not receive a refresh token in the response from the external OAuth application during the OAuth login.
Solution: Ensure that both your Connect OAuth integration’s scopes are configured to request refresh tokens. This is often represented by the
offline_access
scope. Note that Snowflake uses the refresh_token scope to represent offline access. \ If configuring a custom OAuth integration with GitHub, you need to configure a GitHub App rather than an OAuth app. GitHub OAuth apps do not return refresh tokens.
Connect API Error 215: Invalid subject_token
Cause: Connect rejected the
subject_token
when the content attempted to exchange it for an OAuth access token. There are multiple root causes that can produce this error, but a common scenario is that thesubject_token
expired.Solution: Refreshing the browser reinitiates the connection with the server. In response, Connect issues a fresh
subject_token
with an updated expiration timestamp. For more information on what constitutes a validsubject_token
and the various scenarios that may lead tosubject_token
rejection, see the Credential Exchange section of the OAuth Integrations Security document.
Connect API Error 219: Refresh token is invalid
Cause: The application viewer’s OAuth refresh token may have expired.
Solution: Log out and log in to the OAuth integration through the Access tab in the Content Settings pane. See the OAuth integrations section of the User Guide for additional details. Alternatively, you can manage OAuth sessions through the Connect API.
ClientError: No OAuth integrations have been associated with this content item.
Cause: The publisher has not associated an Oauth integration with their deployed content.
Solution: Associate an OAuth Integration with deployed content. This can be done on the Access tab of the Content Settings pane of the dashboard. For more information, see the Adding OAuth Integrations to Deployed Content section of the User guide.
ClientError: No OAuth session found. Log in to the OAuth Integration before requesting credentials.
Cause: The viewer has not logged into the external OAuth application, so Connect does not have access to their OAuth credentials.
Solution: The user needs to login to the external OAuth application. When viewing content through the dashboard, they should see a pop-up modal directing them to login or see a login button in the Access tab of the Content Settings pane. Alternatively, if they are accessing the content in Open Solo mode, they are automatically redirected to the OAuth login flow.
The config key client_secret must not be provided
Cause: This error can occur if a
Confidential
integration is modified to bePublic
, but the client secret is not removed from the integration.Solution: Use the Connect Server API to set the public integration’s
client_secret
tonull
.
Azure (Microsoft Entra ID)
The following error conditions are specific to Azure OAuth integrations.
BadRequest: io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
Cause: This error can occur for viewers if the integration is configured with incorrect scopes.
Solution: Update the integration to use the correct scopes. For more information on common scopes needed for Azure OAuth applications, see the Add API permissions section of the Azure OAuth Integrations guide.
AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app <app_guid>.
Cause: This error can occur when a viewer attempts to login to the OAuth application if the integration’s client secret is misconfigured.
Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Azure OAuth integrations guide for more details.
AADSTS500113: No reply address is registered for the application.
Cause: The external OAuth application does not have a redirect URI configured.
Solution: Update the external OAuth application with a valid redirect URI. This may require coordination with the OAuth application administrator. See the OAuth application registration section of the Azure OAuth integrations guide for more details.
AADSTS50011: The redirect URI '<connect_server>/__oauth__/integrations/callback' specified in the request does not match the redirect URIs configured for the application <application_guid>. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Cause: The external OAuth application does not have a valid redirect URI configured.
Solution: Update the external OAuth application with a valid redirect URI. This may require coordination with the OAuth application administrator. See the OAuth application registration section of the Azure OAuth integrations guide for more details.
AADSTS7000222: The provided client secret keys for app '<app_guid>' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.
Cause: This error can occur when Connect attempts to refresh a viewer’s OAuth access token if the integration’s client secret is expired.
Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Azure OAuth integrations guide for more details.
Snowflake
The following error conditions are specific to Snowflake OAuth integrations.
Error occurred in authorization: There is a mismatch in the given redirect uri with the one in the registered OAuth client integration.
Cause: The external OAuth application does not have a valid redirect URI configured.
Solution: Update the external OAuth application with a valid redirect URI. This may require coordination with the OAuth application administrator. See the OAuth application registration section of the Snowflake OAuth integrations guide for more details.
ProgrammingError: 251001: Account must be specified
- Cause: The Snowflake Python Connector requires the Snowflake account name to be configured. The Snowflake account name should be passed into the
connect
function when the connection is initialized:
= snowflake.connector.connect( con ="<account_name>", account ... )
- Cause: The Snowflake Python Connector requires the Snowflake account name to be configured. The Snowflake account name should be passed into the
Custom (Keycloak)
The following error conditions have been observed for Custom OAuth integrations which target an OAuth application configured in Keycloak.
unauthorized_client: Invalid client or Invalid client credentials
Cause: This error can occur when a viewer attempts to login to the external OAuth application if the integration’s client secret is misconfigured.
Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Custom OAuth integrations guide for more details.
400 Bad Request: Invalid client or Invalid client credentials
Cause: This error can occur when Connect attempts to refresh a viewer’s OAuth access token if the integration’s client secret is misconfigured.
Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Custom OAuth integrations guide for more details.