I've seen a few posts regarding this topic, however they do not appear to solve my issue. I also have a posting on the developer forum.
I'm setting up our authentication provider to allow users to access Salesforce with our enterprise network credentials – grant type of authentication code. I currently have an authentication provider setup in Salesforce and a client setup in the authentication provider. When loading the provided test url, I'm sent to the auth provider to login. Successful login results in (from what I can tell) a well-formed authentication response – contains state and code parameters. The next endpoint is the URL I entered as the error url in the Salesforce configuration for the authentication provider with 3 parameters:
- ErrorCode=No_Openid_Response
- ErrorDescription=Bad+response
- ProviderId={{ID of the auth provider configuration in SF}}
The issue appears to be Salesforce rejecting the authentication response which is preventing it from executing the token request.
I've attempted to decode the authentication response to see if there are mal-formed characters or anything, but not seeing how to do so.
I've verified the signed certification authority on our authentication provider is an allowed authority by Salesforce as well.
I'm looking for a way to troubleshoot this or suggestions on issues.
Update
It appears the issue was due to a user attribute added to the authentication provider's mapping. I need this to match against salesforce to identify a user, so not sure why that did/is not working. That said, it does not appear to be a Salesforce issue at this point.
Best Answer
I ran into the same error today. In my case the problem was that my OpenID Connect OP was configured to return the UserInfo as a signed JWT. I disabled signing so that the data would be returned as a JSON object and everything started working as expected.