I’m looking to test out Cloudflare Access, and tie it together with the [cloud IdP offering from Ory](https://www.ory.sh/).
Cloudflare Access allows for manually testing the flow underneath the Settings > Authentication, which is what I press in order to login and retrieve the openid, email, and profile scopes from my IdP provider.
Behavior that I’d expect
Cloudflare Access to go through a generic OIDC flow to hit the Ory cloud offering, and which would then send back data to the callback URL, finally displaying a successful landing page.
Cloudflare Access does go through a general OIDC flow, hits the Ory cloud offering, and the Ory cloud offering sends data to the callback URL, but an error page shows up right afterwards on Cloudflare’s side, with the following error message:
OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.
undefined
I’m guessing the undefined is actually a slight bug on the Cloudflare Access FE UI and more debugging information should have been there, but at this point I’m at a bit of a block since I can’t investigate further to see why Cloudflare thinks the client secret is wrong.
What did you do to investigate
I rolled my generated client secret again and pasted the new one into my OIDC , but the same error message popped up. Given that the callback URL was called in the first place, and that previously my IdP was rejecting the requests as malformed due to not accepting the email/profile scopes (which is now fixed and currently calling the callback URL), I’m guessing the issue lies somewhere on the Cloudflare side of things
I’m trying to connect the Generic OIDC to a Synology NAS SSO install and I’m getting the same result. There’s no logging on the CF end, so I’m guessing the “undefined” is as close as I get to an error detail. I am able to connect to my IDP using other platforms without a problem. It just seems to be CF throwing the error. Has anyone found a way to debug this or get some useful information?
I am seeing the same thing with nextcloud the OIDC provider app. In my case, it is because the app needs the credentials to not be passed with a Basic Auth request, but in the request body. I don’t know if that helps anyone else, by in my case I need to be able to choose the way credentials are being transmitted.
I had the same problem, just appeared out of the blue yesterday. I am using Keycloak v25
Upon further investigation, I noticed that the system clock on server running keycloak was off by over 60 seconds
I have then synchronized the server with NTP server (pool.ntp.org for example), and the error went away → authentication started to work again instantly