Skip to content

Most Frequent Errors

This section describes common errors that are returned by CIAM after the integration

Invalid Callback

callback

The error is returned when the callback provided at the creation does not match with the one on the API call. The error can be resolved by checking the callback both on the application and on CIAM side.

Note

Callback must be exactly the same, included backslash '/'

Unsupported OAuth Authorization Flow

error_description=Unsupported+Response+Type%21&error=unsupported_response_type&sp=<application>&tenantDomain=carbon.super

The error is returned when the response type of the call, which represents the authorization flow to be used, is unsupported. The error can be solved by checking the API call made on the application, ensuring that the response_type parameter is set on code

Note

For security reasons, implicit flow is not supported on CIAM, be sure to not have inserted token or id_token as a response_type

Code challenge used is not up to RFC 7636 specifications

The error is returned when the authorization flow used is the PKCE flow and one of the following statements are not respected:

  • the code_verifier only contain A-Z, a-z, 0–9, "-", ".", "_", "~" characters
  • the code_challenge is created by SHA256 hashing the code_verifier and base64 URL encoding the resulting hash
  • code_challenge_method is set on "S256"

Invalid request: the client MUST NOT use more than one authentication method in each

The error is returned when the authorization flow used is the PKCE flow and the request to the oauth2/token endpoint contains the client secret of the application. To resolve this error remove the client secret and keep only the client id.

User has not received the first email

Sometimes can happen that the first email to validate the email or to set the password is not sent. In these cases:

  • In case of a validation email, once the user will attempt to login, a pop-up will be displayed to resend the email
  • Otherwise, in case of a set password email (registered with API or Bulk import) the user can re-generate a new mail by clicking on Forgot password