Okta OIDC

[CdrMarks]

I'm testing Authorizer for my university since many site owners already use this plugin for CAS and were implementing Okta. Okta supports

• OIDC
• SAML 2.0
• SWA (Secure Web Authentication): A proprietary Okta protocol that allows SSO for applications that do not support federated standards (SAML/OIDC) by securely storing and passing credentials.
• WS-Federation (WS-Fed): Used primarily for integration with Microsoft applications

I'm attempting OIDC. Unfortunately, when I am signing in, I see this error:

OIDC authentication failed. Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.

I have set up the plugin's OIDC settings in this way:

Authorizer OIDC Settings

General

Field	Value
OIDC server(s)	1
OIDC automatic login	Off
Custom label	Okta Preview

OIDC Provider Configuration

Field	Value
Issuer URL	https://xyz.oktapreview.com/oauth2/default
Client ID	redacted
Client Secret	refracted
Scopes	openid email profile
Prompt parameter	(blank)
Login hint parameter	(blank)
Max age parameter	(blank)

User Attribute Mapping

Field	Value
Attribute containing username	email
Attribute containing email	email
Attribute containing first name	given_name
Attribute containing last name	family_name

Account Handling

Field	Value
Name attribute update	Do not update first and last name fields on login
Require verified email	false
OIDC users linked by username	false
OIDC Hosted Domain	(blank)

Here is how things are set up in Okta.

Okta Application Configuration

Application Overview

Field	Value
Application name	WordPress Test
Status	Active
Application type	Web

Client Credentials

Field	Value
Client ID	redacted
Client authentication	Client secret
PKCE required	false

Client Secrets

Field	Value
Secret status	Active
Secret created	Apr 29, 2026

Public Keys

Field	Value
Key storage	Save keys in Okta
Public keys configured	None
ID token encryption	None

Security Settings

Field	Value
DPoP required	false
Token usage IP restriction	Any IP

Grant Types

Field	Value
Authorization Code	true
Refresh Token	false
Client Credentials	false

User Consent

Field	Value
Require consent	true
Terms of Service URI	(blank)
Policy URI	(blank)
Logo URI	(blank)

Login Configuration

Field	Value
Sign-in redirect URI	https://wptest.xyz.edu/wp-login.php?external=oidc
Allow wildcard redirect URI	false
Sign-out redirect URI	(blank)
Login initiated by	App Only
Initiate login URI	(blank)

Email Verification Experience

Field	Value
Callback URI	(blank)

Logout Settings

Field	Value
Global token revocation logout handling	Disabled

[figureone]

Aloha, thanks for reaching out. Folks in the UC system contributed the OIDC integration late last year, so it may still have some rough edges with other providers like Okta. We can work with you folks to debug and get any tweaks needed released in a new version.

Is it possible for me to get a test account set up on your test IdP if it accepts authentication requests from outside domains? That would probably be the fastest way forward, but I can also walk you through adding some debug statements on your current setup and try to go from there.

You can reach me at @figureone on WordPress slack to discuss offline if that works for you!
https://make.wordpress.org/chat/

[CdrMarks]

Thanks for the reply. A test login will not work well since routes to /wp-admin require you be on campus or connected via VPN. I will be happy to apply debug statements if you can supply the code.

[figureone]

Sounds good. This looks likely to be the root cause in the upstream jumbojett/OpenID-Connect-PHP library that Authorizer uses for the OIDC integration:
jumbojett/OpenID-Connect-PHP#164 (comment)

You may want to chime in there to see if we can get that pull request tested and merged, since that would be the cleanest way to get it into Authorizer.

[figureone]

Just a note that @CdrMarks and I fixed this by instead configuring the OIDC library's auth method (via setTokenEndpointAuthMethodsSupported()) to specifically use client_secret_post which will prevent it from setting Client ID in both the Authorization header and in the post body, which is what triggers the Okta error.

The next release of Authorizer will include an OIDC configuration option to set the auth method.

[figureone]

Hi just a heads up that version 3.14.4 is now out and includes this fix.

If using Okta as the OIDC provider, configure the new plugin option in Authorizer Settings > OIDC > Force auth method to use Post body (client_secret_post):

Let us know if you run into any problems!