1.1.5.3.5 Error Codes
Table 1-9 JWT Error Codes
| Error Code | Error Code ID | Description | Cause |
|---|---|---|---|
TPED_JWT_AUTH_RC_CERT_INV |
20 | This error occurs when the JWT certificate validation fails. | This error is triggered when the aud (audience) claim in the JWT does not match the expected value. This typically happens when a JWT issued for one service or API is mistakenly used for another. Common causes include misconfiguration in the issuing identity provider (IdP), incorrect audience validation settings in the application, or using a token intended for a different environment (e.g., staging vs. production). |
TPED_JWT_AUTH_RC_SIG_INV |
21 | This error occurs when the JWT signature verification fails. The token's signature does not match the expected value. | The error is triggered when the cryptographic signature of the token cannot be verified. Common causes include the tampered token after signing, an incorrect signing key, or the algorithm used to sign and verify the token do not match. |
TPED_JWT_AUTH_RC_DIG_INV |
22 | This error occurs when there is Digest mismatch during JWT token signature verification. | This error is triggered when the digest (hash) embedded in the token does not match the digest computed from the token's payload. The common causes include data corruption or intentional modification of the token content. |
TPED_JWT_AUTH_RC_PUBKEY_INV |
24 | JWT public key is invalid or does not match the signing key. | This error is triggered when the public key provided for signature verification is either improperly formatted, corrupted or does not correspond to the private key that was used to sign the token. |
TPED_JWT_AUTH_RC_ALG_NOT_SUPPORTED |
25 | The JWT signing algorithm is not supported. The token was signed using an algorithm that was not recognized or allowed. | This error is triggered when the token uses a cryptographic algorithm that is either unsupported or not enabled in the system's configuration. |
TPED_JWT_AUTH_RC_EOS |
26 | An internal system error occurred during JWT validation. | This error is triggered when an unexpected internal failure occurs during the processing or validation of the JWT token. Common causes are memory issues, or faulty system configurations. |
TPED_JWT_AUTH_RC_DATA_INV |
27 | The JWT data format is invalid, or the token is corrupted. The token cannot be parsed or processed. | This error is triggered when the token structure does not meet to the JWT standards. For example, missing required fields or incorrect encoding. Common causes are data corruption, manual token manipulation, or incorrect token generation. |
TPED_JWT_AUTH_RC_TIME_INV |
28 | This error occurs when the JWT token has expired or is not yet valid. Either the token's 'exp' claims are outside the acceptable time range.
|
This error is triggered when the current time falls outside the validity period defined in the token’s claims. For example, if the token is used after its expiration (exp). |
TPED_JWT_AUTH_RC_AUD_INV |
34 | This error occurs when the audience(aud) claim does not match the expected value.
|
Occurs when the aud (audience) claim in the JWT does not match the expected value. For example: The JWT was issued for a specific API (urn:opc:lbaas:logicalguid=idcs-7784874874hduhd1d0,https://idcs-7djhdjhdh363hdh.identity.oraclecloud.com) but is being used for another API ( https://idcs-77cfdgg67d0.us-phoenix-idcs-2.secure.identity.oraclecloud.com).
|
TPED_JWT_AUTH_RC_ISS_INV |
35 | The issuer (iss) claim does not match the expected value.
For example: The token was issued by an unauthorized identity provider (idp-xyz) instead of the configured idp-abc. |
This error is triggered when the iss (issuer) claim in the JWT does not match the expected trusted identity provider. This can occur when the token is issued by an unauthorized or unrecognized IdP, when the configured trust list does not include the issuer, or if the JWT is tampered with to modify the iss claim. |
TPED_JWT_AUTH_RC_INVALID_TYP |
36 | The typ (type) claim in the JWT header is incorrect.
|
For example, the token's header specifies an unsupported type, such as typ: INVALID-TYPE instead of typ: JWT |
TPED_JWT_AUTH_RC_SIG_ALG_BLACKLIST |
37 | The JWT is signed with a blacklisted or insecure algorithm.
For example, the JWT uses an outdated signing algorithm like HS256, which has been disabled for security reasons |
This error is triggered when the JWT is signed using an algorithm that is blacklisted or considered insecure. This often occurs when the signing algorithm is outdated, weak (e.g., HS256 when only RS256 is allowed), or explicitly disallowed by security policies. It may also happen if an attacker attempts to use a downgraded algorithm to bypass security controls. |
TPED_JWT_AUTH_RC_PRIVILEGE_INV |
38 | The claims do not meet the required privileges. | This error is triggered when the claims in the JWT token do not meet the required role and permission privileges. |
TPED_JWT_AUTH_RC_SCOPE_MISMATCH |
39 | The token's scope does not match the required scope for access. | This error is triggered when the token's scope does not align with the required scope for access.
For example, the JWT's scope claim lists read, but the API requires write permissions. |
TPED_JWT_AUTH_RC_NONCE_REPLAY |
40 | Replay attack detected using jti (JWT ID) claim. | This error is triggered when a replay attack is detected using the jti (JWT ID) claim.
For example, a previously used JWT with the same |
TPED_JWT_AUTH_RC_KEY_USE_INV |
41 | Incorrect key use during JWT validation. | This error occurs when the JWT is signed or verified using a key for an incorrect purpose.
For example, the key's use claim is enc but is being used for signing |
TPED_AUTHORIZATION_HEADER_EMPTY |
42 | Empty Authorization Header in Request. | This error is triggered when the Authorization header is missing or empty in the HTTP request. |
TPED_JWT_AUTH_RC_CLOCK_SKEW |
43 | JWT Token's 'nbf' claim is outside the acceptable time range due to the clock skew or is not yet valid. | This error is triggered when the JWT token's nbf (not before) claim is outside the acceptable time range due to clock skew or is not yet valid.
For example,a JWT with nbf set to a future timestamp is rejected because the server's clock is slightly behind or misaligned. |
TPED_JWT_AUTH_RC_CROSS_ORIGIN_BLOCK |
44 | The JWT is being used in a different origin from the one it was issued for. | This error is triggered in the JWT is used across different origins from the one it was issued for. For example, a JWT issued for example.com is used to access another-example.com. |
TPED_JWT_DEFAULT_ERROR |
NA | JWT AuthN/AuthZ failed. | This error is triggered when the JWT authentication or authorization fails. For example, the server cannot parse the JWT or encounters an unhandled validation error. |