Question

OIDC SSO with Google – “DecodeAndVerifyJWT” error

0

Hi everyone,I’m trying to configure OIDC SSO with Google in my Mendix application, and I’m facing an issue.Setup DetailsUsing OIDC SSO moduleIdentity Provider: Google Discovery URL:https://accounts.google.com/.well-known/openid-configurationCallback URL:http://localhost:8080/oauth/v2/callbackScopes selected:openid, email, profileClient ID & Secret configured correctlyIssueGoogle login works successfully ✅After redirect back to Mendix, I get:Authentication failed In console logs:Error occurred while DecodeAndVerifyJWT What I have checkedScopes are properly selectedClient ID & Secret match Google ConsoleCallback URL is correctUsing standard User Provisioning microflowMy questionWhat could cause the DecodeAndVerifyJWT error after successful authentication?Is this related to:Missing JWKS / configuration import?Incorrect issuer or endpoints?Something else in Mendix configuration?Additional InfoI have already added the discovery URL, but not sure if anything else is required for token verification.Any help would be greatly appreciated 🙏

asked 2026-03-20

Anish Chettri

1 answers

Ahmet Kudu · Accepted Answer · 2026-03-20

If Google authentication itself succeeds and the error happens specifically at DecodeAndVerifyJWT, then the issue is usually not related to the client ID/secret, scopes, or callback URL anymore. Those parts are already working, since the login flow completes successfully.

At this stage, Mendix is failing during ID token validation. The most common cause is an issuer mismatch. The issvalue inside the token must exactly match what Mendix expects from the provider configuration. Even a small difference can cause the verification to fail.

Another common reason is related to JWKS (public keys). Mendix uses the keys from the discovery document to verify the token signature. If the provider configuration was not properly imported or initialized, Mendix may not be able to validate the signature correctly.

You should also check the audience (aud claim). The token must contain the same client ID that you configured in Mendix. If there is any mismatch between Google Console and Mendix, decoding will fail after authentication.

Additionally, make sure your server time is correct. A clock skew issue can cause the token to be considered expired or not yet valid, which also leads to DecodeAndVerifyJWT errors.

My suggestion would be to reimport or recreate the Google IdP configuration using the discovery URL, verify the issuer value, and ensure the same client ID is used everywhere. Also, check the full runtime log, as it usually indicates whether the failure is due to issuer, signature, audience, or token timing.

If this resolves your issue, please mark it as accepted.