Connect AI uses Auth0 as its managed identity broker. You configure the OIDC application, client credentials, and claims at your provider; steps that refer to the Auth0 tenant, the flow it uses, or Rules and Actions are configured by CData on the broker side. If one applies to your issue, contact CData Support.
Frequently Asked Questions
Can I use PKCE or a custom response type?
Can I use PKCE or a custom response type?
The broker signs users in with the authorization code flow by default. Alternative response types, such as
id_token token, are not used in this flow.Can I restrict access to certain users?
Can I restrict access to certain users?
Yes. Filter access at your provider by domain, group, or email. The same can be done at the broker with Auth0 Rules or Actions, but that part is configured by CData; contact CData Support if you need it.
Common Errors
The test connection fails with 'invalid_client'.
The test connection fails with 'invalid_client'.
- Verify the client ID and client secret are correct and still active.
- Make sure the redirect URI registered at your provider matches the broker’s callback URL exactly:
https://<YOUR-AUTH0-TENANT>.auth0.com/login/callback - That callback URL has to be registered as an allowed redirect URI in your provider. If you do not have the exact value, contact CData Support.
An 'issuer mismatch' error appears or discovery fails.
An 'issuer mismatch' error appears or discovery fails.
- Confirm the issuer URL matches the
issvalue in the ID token exactly. - If your provider does not publish a discovery document, the individual endpoint URLs have to be entered manually. That is done on the broker side, so contact CData Support with the endpoint details.
Expected claims such as email or profile are missing.
Expected claims such as email or profile are missing.
Check that your provider returns the standard OIDC claims, either in the ID token or from the userinfo endpoint. You may need to add the relevant scopes and claims to the application configuration at your provider.