"OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined"

What’s going on

I’m looking to test out Cloudflare Access, and tie it together with the [cloud IdP offering from Ory](https://www.ory.sh/).

Cloudflare Access allows for manually testing the flow underneath the Settings > Authentication, which is what I press in order to login and retrieve the openid, email, and profile scopes from my IdP provider.

Behavior that I’d expect

  • Cloudflare Access to go through a generic OIDC flow to hit the Ory cloud offering, and which would then send back data to the callback URL, finally displaying a successful landing page.

Behavior actually observed

  • Cloudflare Access does go through a general OIDC flow, hits the Ory cloud offering, and the Ory cloud offering sends data to the callback URL, but an error page shows up right afterwards on Cloudflare’s side, with the following error message:
OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.
undefined

I’m guessing the undefined is actually a slight bug on the Cloudflare Access FE UI and more debugging information should have been there, but at this point I’m at a bit of a block since I can’t investigate further to see why Cloudflare thinks the client secret is wrong.

What did you do to investigate

I rolled my generated client secret again and pasted the new one into my OIDC , but the same error message popped up. Given that the callback URL was called in the first place, and that previously my IdP was rejecting the requests as malformed due to not accepting the email/profile scopes (which is now fixed and currently calling the callback URL), I’m guessing the issue lies somewhere on the Cloudflare side of things

3 Likes

same issue with keycloak and authentik with openid connect

1 Like

Also running into the same issue using keycloak

2 Likes

Running into the same issue with Authentik

After whitelisting Cloudflare’s IP addresses, it’s seems to work

https://www.cloudflare.com/ips/

Cool. How did you whitelist…not sure I understand where. Thanks.

I am not 100% confident it was needed, but I whitelisted them in ZeroTrust → Access → Applications → → Add a policy for IP range and add them in.

Thanks will give it a try.

Did you ever find a solution to this? I am having the same issue with Ory, and am unable to determine how to get it working.

I’m trying to connect the Generic OIDC to a Synology NAS SSO install and I’m getting the same result. There’s no logging on the CF end, so I’m guessing the “undefined” is as close as I get to an error detail. I am able to connect to my IDP using other platforms without a problem. It just seems to be CF throwing the error. Has anyone found a way to debug this or get some useful information?

I am seeing the same thing with nextcloud the OIDC provider app. In my case, it is because the app needs the credentials to not be passed with a Basic Auth request, but in the request body. I don’t know if that helps anyone else, by in my case I need to be able to choose the way credentials are being transmitted.

Did you manage to solve this? Trying to configure Nextcloud as ID provider too.

I had the same problem, just appeared out of the blue yesterday. I am using Keycloak v25

Upon further investigation, I noticed that the system clock on server running keycloak was off by over 60 seconds
I have then synchronized the server with NTP server (pool.ntp.org for example), and the error went away → authentication started to work again instantly

Hope it helps someone

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.