1. SecureAuth Support
  2. Support Documentation
  3. CIAM Knowledge Base Articles

Resolving "failed_to_verify_subject_token" for Token Exchange with Private OIDC IdPs in SecureAuth CIAM

Follow
Avatar
Navid Namjou
    Applies to:
  • Cloudentity
Deployment model:
  • Cloud

    • Versions Affected:

    SecureAuth CIAM

    Description:

    When configuring an OIDC Identity Provider (IdP) in SecureAuth CIAM for OAuth 2.0 Token Exchange, customers may see this error:

    failed_to_verify_subject_token

    This happens when ACP is asked to accept an access token (passed as subject_token in the exchange request) that was issued by an authorization server behind a corporate VPN.

    Customers want ACP to validate these tokens (by reading the issuer’s OIDC Discovery endpoint and JWKS URI), but these endpoints are not publicly accessible.

    Cause

    SecureAuth CIAM (ACP) is a cloud SaaS platform.

    For token exchange to work, ACP must:

    Resolve the OIDC Discovery endpoint
    Fetch the JWKS URI (for public signing keys)

    If these endpoints are:

    Only accessible behind a VPN
    Blocked by firewall with no public allowlist

    ...then ACP cannot verify the signature on the incoming subject_token.

    This results in the error:

    failed_to_verify_subject_token
     

    Resolution

    Customers must ensure that:

    • The OIDC Discovery endpoint (e.g. https://idp.company.com/.well-known/openid-configuration)
    • The JWKS URI returned in the discovery metadata

    ...are publicly accessible to ACP.

    They do not need to expose the entire IdP—only these specific endpoints.

    Recommended Network Setup

    To maintain security while enabling ACP validation:

    Expose Only Required Endpoints

    / .well-known/openid-configuration
    JWKS URI from discovery metadata

    Restrict Access Using IP Allowlisting

    Customers can allowlist SecureAuth’s SaaS outbound IP ranges (CIDRs) on their firewall so only ACP can reach these endpoints.

    You can find the SecureAuth SaaS Platfrom IP Address from the following page:

    IP Addresses

    Configuration Steps in ACP

    Register the OIDC IdP in ACP Admin Console.

    • Enable Token Exchange.
    • Set Issuer exactly matching the iss claim in tokens.
    • Provide the Discovery Endpoint.

    Ensure the discovery and JWKS URIs are accessible to SecureAuth’s allowlisted CIDRs.

    Test token exchange after firewall rules are in place.

    Special Considerations

    • ACP matches the iss claim in the incoming token to the IdP’s Issuer field.
      • Any mismatch will result in failed_to_verify_subject_token.
    • Even if customers can manually validate JWTs via jwt.io, ACP must reach the JWKS URI itself to validate in real time.
    • JWT Bearer flows rely on trust in the system issuing the assertion. Ensure high confidence in the source system.
    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.

    Related articles

    Links:

    Identity Platform Documentation Portal
    Identity Platform Product Lifecycle Policy
    Global Support Policy

    Contact Support:

    Submit a Ticket
    Identity Platform Support: (866) 859-1526