"OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined"

What’s going on

I’m looking to test out Cloudflare Access, and tie it together with the [cloud IdP offering from Ory](https://www.ory.sh/).

Cloudflare Access allows for manually testing the flow underneath the Settings > Authentication, which is what I press in order to login and retrieve the openid, email, and profile scopes from my IdP provider.

Behavior that I’d expect

  • Cloudflare Access to go through a generic OIDC flow to hit the Ory cloud offering, and which would then send back data to the callback URL, finally displaying a successful landing page.

Behavior actually observed

  • Cloudflare Access does go through a general OIDC flow, hits the Ory cloud offering, and the Ory cloud offering sends data to the callback URL, but an error page shows up right afterwards on Cloudflare’s side, with the following error message:
OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.

I’m guessing the undefined is actually a slight bug on the Cloudflare Access FE UI and more debugging information should have been there, but at this point I’m at a bit of a block since I can’t investigate further to see why Cloudflare thinks the client secret is wrong.

What did you do to investigate

I rolled my generated client secret again and pasted the new one into my OIDC , but the same error message popped up. Given that the callback URL was called in the first place, and that previously my IdP was rejecting the requests as malformed due to not accepting the email/profile scopes (which is now fixed and currently calling the callback URL), I’m guessing the issue lies somewhere on the Cloudflare side of things


same issue with keycloak and authentik with openid connect

1 Like

Also running into the same issue using keycloak

1 Like

Running into the same issue with Authentik

After whitelisting Cloudflare’s IP addresses, it’s seems to work


Cool. How did you whitelist…not sure I understand where. Thanks.

I am not 100% confident it was needed, but I whitelisted them in ZeroTrust → Access → Applications → → Add a policy for IP range and add them in.

Thanks will give it a try.

Did you ever find a solution to this? I am having the same issue with Ory, and am unable to determine how to get it working.

I’m trying to connect the Generic OIDC to a Synology NAS SSO install and I’m getting the same result. There’s no logging on the CF end, so I’m guessing the “undefined” is as close as I get to an error detail. I am able to connect to my IDP using other platforms without a problem. It just seems to be CF throwing the error. Has anyone found a way to debug this or get some useful information?