This article explains the authentication failure that occurs during the token exchange handshake when using an upstream OpenID Connect (OIDC) Enterprise Connection. The logs indicate that the upstream Identity Provider (IdP) rejected the client authentication request or could not locate the client credentials, typically throwing the following error:

"message": "server responded with a challenge in the WWW-Authenticate HTTP Header", "oauthError": "unauthorized"

• Enterprise Connections

• OpenID Connect (OIDC) Strategy

This issue occurs due to a mismatch in the Client Authentication method between Auth0 and the upstream IdP.

When configured with a Client Secret, Auth0 authenticates with the upstream IdP using the client_secret_post method. This method sends the Client ID and Client Secret in the body of the HTTP POST request.

The error arises because the upstream IdP is configured to strictly enforce client_secret_basic, which requires sending credentials in the HTTP Authorization header. Because Auth0 does not support client_secret_basic for upstream OIDC connections, the IdP expects the header and ignores the credentials in the body, causing the handshake to fail.

To resolve this incompatibility, adjust the configuration of the upstream IdP to accept a method supported by Auth0.

Option 1: Configure Private Key JWT (Recommended)

The most secure method is to switch from a shared Client Secret to Private Key JSON Web Token (JWT) authentication. This method uses a public/private key pair and is fully supported by Auth0.

1. Verify that the upstream IdP supports private_key_jwt for client authentication.

2. In the Auth0 Dashboard, select Authentication > Enterprise.

3. Select the OIDC Connection.

4. Locate the Client Authentication settings.

5. Configure the connection using a key pair and Private Key JWT.

6. Upload the corresponding Public Key to the upstream IdP.

Read more about the Private Key JWT: Private Key JWT Client Authentication for Okta and OIDC Connections

Option 2: Enable client_secret_post on the Upstream IdP

If Private Key JWT is not feasible, configure the upstream IdP to accept credentials via the request body.

1. Access the configuration settings for the upstream IdP.

2. Locate the setting for Client Authentication Method (sometimes labeled as Token Endpoint Authentication Method).

3. Change the setting from client_secret_basic to client_secret_post (or configure it to allow both).

4. Save the changes.

5. Retry the authentication flow.