Sorry for kicking this dead horse, I've seen this question asked before. The problem is that answers to it are of no use, it has nothing to do with the fact that it's a "localhost", until parties can talk to each other using the protocol (i.e. ports are forwarded, redirections are correctly set etc)
I'm currently facing the same problem, and posted my findings on Salesforce's forums (for some reason I can't access their issue reporting system, so can't ask them directly), but it didn't help to resolve it.
To make long story short:
- My OpenID Connect identity provider is running in a vm behind a NAT, which has external port 10888 forwarded to its port 443. Forwarding is working fine, I tested it.
- 1st phase of openid connect protocol completes
successfully, authz code is issued and flow is returned to the
callback url. - Then this error about empty token follows. I tried to
monitor the connections with wireshark and spotted that salesforce
oidc client actually tries to connect to my IdP, gets all the way
through forwarding to the vm – and isn't able to pass TLS initiation
phase: when my IdP presents its certificate to it (which is
self-signed), the client immediately responds with "Certificate
unknown" error message, and connection is teared down.
So the real problem is that, most likely, Salesforce doesn't react well to self-signed certificates, presented by IdPs. Which is not very wise, as they are ubiquitously being used by developers for test purposes.
Here is a picture of what I'm talking about:
I've shuffled through different docs, and found nothing that could help to resolve the issue, so any help is appreciated.
Best Answer
Just wanted to note that I've managed to acquire a response from Salesforce's support. They confirmed that in their current implementation of OpenID Connect client it will reject self-signed certificates provided by IdPs it connects to. They promised to present the feature to allow such certificates for voting on their forums, and if supported by other users to put it on their TO-DO list.