Guides
Troubleshooting

Troubleshooting Guide

This guide addresses common issues encountered when integrating with Optare SSO.

Authentication Errors

invalid_request: nonce is required for openid scope

Cause: The openid scope was requested, but the nonce parameter was missing from the authorization URL. Solution:

  • Ensure your OIDC client is configured to send a nonce.
  • For NextAuth.js, set checks: ["pkce", "state", "nonce"] in your provider configuration.
  • If constructing the URL manually, generate a random string and append &nonce=YOUR_RANDOM_STRING.

invalid_request: redirect_uri is required or does not match

Cause: The redirect_uri parameter is missing or does not exactly match one of the URIs registered for your client. Solution:

  • Check the Optare Developer Console to verify your registered Redirect URIs.
  • Ensure the URI is exact (including trailing slashes, protocol, etc.).
  • http://localhost:3000/api/auth/callback/optare is a common pattern for NextAuth.

invalid_client

Cause: The client_id or client_secret is incorrect. Solution:

  • Verify your credentials in the Developer Console.
  • Ensure you are not sending client_secret to the Authorization endpoint (it belongs in the Token endpoint request).

access_denied

Cause: The user clicked "Cancel" or "Deny" on the consent screen. Solution:

  • Handle this gracefully in your application (e.g., show a "Login was cancelled" message).

Token Issues

Refresh Token Expired

Cause: The refresh token has expired (default 30 days) or has been revoked. Solution:

  • Redirect the user to login again.

Token Revocation

security note: If a refresh token is used after being revoked (or used twice), the entire token family is revoked for security (to prevent replay attacks). If users are suddenly being logged out, check if your application is attempting to use old refresh tokens.

Integration Specifics

NextAuth.js "Try signing in with a different account."

Cause: Usually indicates a failure in the profile callback or a mismatch in the expected user structure. Solution:

  • Enable debug mode in NextAuth: debug: true.
  • Check server logs for specific error messages.
  • Verify that your profile callback correctly maps id (or sub).

Support

If you continue to experience issues, please contact support with:

  1. The client_id you are using.
  2. The timestamp of the error.
  3. The specific error message or code.
  4. A request_id if available.
SecurityFAQ