Starting in R2024b, there were some changes to the MATLAB Web App Server authentication service. The new implementation is slightly stricter about OIDC compliance, which may cause failures with identity providers that were working in previous versions.
The most common cause of this issue is due to a mismatch in the issuer MWAS expects to see on the token (based on the "issuer" in webapps_authn.json) and the actual issuer in the token that is returned by the identity provider.
- The expected issuer is found by removing the string "/.well-known/openid-configuration" from the value set as the "issuer" in the webapps_authn.json file.
- The actual issuer can be found by entering the URL you are using as the issuer in the webapps_authn.json file into a browser -- which should send you to a JSON discovery document with information about the identity provider -- and checking the value listed as "issuer" there.
Ensure that these values match, or make changes to your webapps_authn.json file (or your identity provider configuration) to resolve any differences.
For example, if visiting the URL shows an issuer of:
https://sso.mydomain.com:443/auth/oauth
you will need to include this port in your webapps_authn.json file, like:
https://sso.mydomain.com:443/auth/oauth2/.well-known/openid-configuration
As another example, if the issuer listed at the discovery URL has a trailing '/' character:
https://mytenant.b2clogin.com/tfp/mytenant/mypolicy/v2.0/
then adjust the "issuer" in webapps_authn.json to account for the extra character:
https://mytenant.b2clogin.com/tfp/mytenant/mypolicy/v2.0//.well-known/openid-configuration
