Troubleshooting

4.3 Troubleshooting

This section contains troubleshooting information for OpenID authentication.

If you are experiencing problems, you are recommended to enable logging for the web.oauth2 or web.oauth2.ext web service; see the MyID REST and authentication web services section in the Configuring Logging guide for details.

To confirm that the authentication service is running, you can check the following URL:

https://<myserver>/web.oauth2/.well-known/openid-configuration

For the standalone authentication service, this is:

https://<myserver>/web.oauth2.ext/.well-known/openid-configuration

where <myserver> is the address of the MyID authentication service. This should return a block of JSON describing the endpoints and configuration of your authentication service.

HTTP Error 500.30 when accessing the authentication service

If you see an error similar to:

HTTP Error 500.30 - ANCM In-Process Start Failure

Check that your appsettings.Production.json file is valid.

Note especially that copying code samples from a browser may include hard spaces, which cause the JSON file to be invalid.

To assist in tracking down the problem, you can use the Windows Event Viewer. Check the Windows Logs > Application section for errors; you may find an error from the .NET Runtime source that contains information similar to:

Exception Info: System.FormatException: Could not parse the JSON file.

---> System.Text.Json.JsonReaderException: '"' is invalid after a value. Expected either ',', '}', or ']'. LineNumber: 13 | BytePositionInLine: 6.

which could be caused by a missing comma at the end of a line.

An error similar to:

Exception Info: System.FormatException: Could not parse the JSON file.

---> System.Text.Json.JsonReaderException: '0xC2' is an invalid start of a property name. Expected a '"'. LineNumber: 7 | BytePositionInLine: 0.

is caused by a hard (non-breaking) space copied from a web browser, which is not supported in JSON.

Note: Some JSON files used by MyID contain comment lines beginning with double slashes // – these comments are not supported by the JSON format, so the JSON files will fail validation if you attempt to use external JSON validation tools. However, these comments are supported in the JSON implementation provided by asp.net.core, and so are valid in the context of MyID.
invalid_grant error when requesting an identity token

This is a general error that may have several causes. Check the log for the web.oauth2 or web.oauth2.ext service for more information.

For example, you may see errors in the log similar to:
- code_verifier is too short or too long
  
  In this case, check that your PKCE code verifier is between 43 and 128 characters. Note that this means a GUID is not long enough.
- Client is trying to use a code from a different client
  
  In this case, check that the client_id you passed when requesting the identity token is the same as the client_id you passed when requesting the authorization code.
- Invalid redirect_uri
  
  In this case, the redirect URL that you provided in the request for an identity token does not match the URL that you provided when requesting the authorization code; you must use the same URL in both requests.
- Invalid authorization code
  
  In this case, you have either provided an incorrect authorization code, or the code has expired. Authorization codes are single-use; even if the attempt to obtain an identity token fails for another reason, you cannot re-use an authorization code. You must request another code and start the process again.
invalid_scope error when requesting an authorization code

The scope you requested is not permitted for the client ID you are using. Check that you have set up the AllowedScopes parameter correctly.

Check the log for the web.oauth2 or web.oauth2.ext service for more information.
unauthorized_client error when requesting an authorization code

Check that the client ID you are passing is correct; this must be a valid ClientId from the appsettings.Production.json file.

Check the log for the web.oauth2 or web.oauth2.ext service for more information.
unsupported_response_type error when requesting an authorization code

Check that the response type you are requesting is code.

Check the log for the web.oauth2 or web.oauth2.ext service for more information.
Cannot access the MyID Operator Client

If your new system is working correctly, but when you attempt to sign in to the MyID Operator Client you see an error similar to:

Sorry, there was an error : unauthorized_client

You may have overwritten the standard clients in the appsettings.json file with your changes to the appsettings.Production.json file.

The log for the web.oauth2 or web.oauth2.ext service will contain an error similar to:

Unknown client or not enabled: myid.operatorclient

In JSON settings files, entries in arrays are determined by their index; therefore if you have four existing entries in the appsettings.json file, you must include four blank array entries {}, in the appsettings.Production.json file before you include your new client details.