This topic describes how to resolve common errors that arise when configuring a single sign-on partnership between Google Cloud Platform (GCP) OpenID Connect (OIDC) and Single Sign‑On for VMware Tanzu Application Service.

No Link for OIDC

Symptom

The login page looks as follows:

Dialog box says welcome to Example.
Followed by Email and Password fields and a sign-in button.

Explanation

Incorrect or unavailable discovery URL. No link will appear on the login page.

No OAuth Client Found

Symptom

You see an error similar to the following screenshot:

The error message page reads,
Google. 401. That's an error. Error: invalid_client. The OAuth client was not found.
The error message is followed by a dropdown for Request Details.

Explanation

Incorrect OAuth Client ID configured.

Unauthorized

Symptom

You see an error similar to the following screenshot:

The error message page reads,
There was an error when authenticating against the external identity provider:
401 Unauthorized.

Explanation

Incorrect OAuth client secret configured.

Redirect URI Mismatch

Symptom

You see an error similar to the following screenshot:

The partially redacted error message page reads,
Google. 400. That's an error. Error: redirect_uri_mismatch. The redirect URI in the
request, (partially redacted URL beginning with https://example.login),
does not match the ones authorized for the OAuth client.
Visit (partially redacted URL) to update the authorized redirect URIs.

Explanation

Incorrect authorization redirect URI on OAuth Client.

Empty Username

Symptom

You see an error similar to the following screenshot:

The error message page reads,
There was an error when authenticating against the external identity provider:
Username cannot be empty.

Explanation

The user_name attribute was not mapped to email.

Unable to map claim to a username

Symptom

You see an error similar to the following screenshot:

The error message page reads,
There was an error when authenticating against the external identity provider:
Username cannot be empty.

Explanation

The scope for “email” was not configured. Select the “email” scope in your identity provider configurations.

check-circle-line exclamation-circle-line close-line
Scroll to top icon