<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
OIDC Integration with Third-Party Provider Returning 401 Error
Mar 5, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

This Article provides a guide for diagnosing and resolving a 401 Unauthorized error during an OpenID Connect (OIDC) integration, specifically when the error is returned by a third-party Service Provider (SP).

 

401 Unauthorized

 

Error

 

The scenario addressed is one where the client application has successfully received the ID Token and/or Access Token from the Okta Authorization server, but is subsequently rejected by the Service Provider (SP) when using those tokens to access a protected resource.

Applies To
  • Okta OpenID Connect
  • API Access Management
  • OAuth 2.0
Cause

The root cause will most likely be found in one of the following areas for OIDC SSO:

  1. OIDC Token Validation failure (missing user claims): The required user data (claims) needed for the SP to recognize the user is missing or incorrect.
  2. OIDC Token Validation failure (audience mismatch): The SP is expecting a specific audience value ("aud" claim), which is different from the value already included in the token.
Solution

NOTE: Before contacting the Service Provider, it is essential to check the Okta system logs to verify that OIDC tokens are generated successfully.

 

The following three events will be visible for the application/client used in the OIDC integration:

OIDC integration

 

After validating that the tokens are successfully generated, please confirm/check with the Service Provider (SP) the following:

 

  1. Ensure that the client application is requesting all necessary OIDC scopes (openid, profile, email).

This can be checked from the Service Provider's configuration dashboard.

Additionally, confirm if the SP is looking for the correct claim (for example, email vs preferred_username).

An example of a decoded ID Token can be found in the OpenID Connect & OAuth 2.0 Okta Developer documentation.

 

  1. Check the target audience: The token contains an "aud" claim specifying who it is for.

This value must match the Client ID or unique identifier that the Service Provider (SP) expects.

 

NOTE: 

  • When using the ORG server, the "aud" claim (audience value) will be the Client ID of the OIDC application. The ORG server does not allow custom scope definitions. Only the standard OIDC Scopes and Okta Scopes are allowed.
  • When using a Custom Authorization server, the audience value is specified in the server settings. In this case, specify a custom audience value according to the requirements from the SP.

 

Related References

Recommended content

Still looking for help?
Loading
OIDC Integration with Third-Party Provider Returning 401 Error