Skip to main content

OAuth Debugging

Step-by-step debugging for OAuth/SSO issues.

Redirect URI Mismatch

Ensure URI exactly matches: https://{region}.api.ecourtdate.com/oauth/{yoursignin}/redirect
Check for trailing slashes
Protocol must be https
Region must match your IDP profile configuration

Scope Errors

Azure AD: Requires admin consent for GroupMember.Read.All
Google: Requires domain-wide delegation for group directory scopes
Okta: Include groups scope and configure groups claim in ID Token
All providers: Must include openid, email, profile at minimum

Group Assignment Not Working

Group name format must be {AgencyReference}_ECOURTDATE (case-insensitive)
For Okta: Configure groups claim filter with regex .*_ECOURTDATE
Verify users are actually members of the group in the IDP
Use IDP token debugger to confirm groups claim is present in the token

User Gets Wrong Role

Role names containing SECURITY, ADMIN, or ROOT (case-insensitive) are automatically elevated to Super Admin
If unexpected, rename the role/group in your IDP

Provider-Specific Tips

Azure AD: Check Azure Portal > App registrations > API permissions for consent status
Google: Verify OAuth consent screen configuration in Google Cloud Console
Okta: Check Application > Sign On > OpenID Connect ID Token > Groups claim type
AWS Cognito: Check User Pool > App clients > Allowed OAuth Scopes

See also: OAuth Troubleshooting, OAuth Flows

Redirect URI Mismatch
Scope Errors
Group Assignment Not Working
User Gets Wrong Role
Provider-Specific Tips