"OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined"

What’s going on

I’m looking to test out Cloudflare Access, and tie it together with the [cloud IdP offering from Ory](https://www.ory.sh/).

Cloudflare Access allows for manually testing the flow underneath the Settings > Authentication, which is what I press in order to login and retrieve the openid, email, and profile scopes from my IdP provider.

Behavior that I’d expect

  • Cloudflare Access to go through a generic OIDC flow to hit the Ory cloud offering, and which would then send back data to the callback URL, finally displaying a successful landing page.

Behavior actually observed

  • Cloudflare Access does go through a general OIDC flow, hits the Ory cloud offering, and the Ory cloud offering sends data to the callback URL, but an error page shows up right afterwards on Cloudflare’s side, with the following error message:
OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct.
undefined

I’m guessing the undefined is actually a slight bug on the Cloudflare Access FE UI and more debugging information should have been there, but at this point I’m at a bit of a block since I can’t investigate further to see why Cloudflare thinks the client secret is wrong.

What did you do to investigate

I rolled my generated client secret again and pasted the new one into my OIDC , but the same error message popped up. Given that the callback URL was called in the first place, and that previously my IdP was rejecting the requests as malformed due to not accepting the email/profile scopes (which is now fixed and currently calling the callback URL), I’m guessing the issue lies somewhere on the Cloudflare side of things

1 Like

same issue with keycloak and authentik with openid connect

1 Like

Also running into the same issue using keycloak

1 Like