Skip to content

"ERROR (invalid-token): Invalid token." after seemingly successful login via GitHub #657

New issue
New issue
Open
Open
"ERROR (invalid-token): Invalid token." after seemingly successful login via GitHub#657
@TidbitSoftware

Description

@TidbitSoftware
TidbitSoftware
opened on Mar 16, 2026

WordPress version: 6.9.4
PHP version: 8.3.30
Plugin version: 3.11.3
IDP type : GitHub

I am running the plugin on a local development installation of WordPress (MAMP, custom vhost). I've use the following values for setting up the plugin to use GitHub as an IDP,

OpenID Scope: openid
Login Endpoint URL: https://github.com/login/oauth/authorize
Userinfo Endpoint URL: https://api.github.com/user
Token Validation Endpoint URL: https://github.com/login/oauth/access_token
JWKS URI: https://github.com/login/oauth/.well-known/jwks
Enable Refresh Token: checked
Disable SSL Verify: checked
Allow Internal IDP: checked
Redirect Back to Origin Page: checked

I know the Client ID and Client Secret Key is set correctly because I get directed to GitHub and presented with the option to authorize. Then I am redirected successfully to WordPress. However, I get "ERROR (invalid-token): Invalid token." printed to the front-end screen. In the plugin settings page, the messages are not much more helpful. Example:

Type make_authentication_url
URI : /wp-login.php?login-error=invalid-token&message=Invalid+token.

https://github.com/login/oauth/authorize?response_type=code&scope=openid&client_id=Ov23lizbKNqS3UE9uM0a&state=2e35e330225129bd593eb8a5ac5b51e5&redirect_uri=http%3A%2F%2Fghub-wp.local%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize

Type invalid-token
URI : /wp-admin/admin-ajax.php?action=openid-connect-authorize&code=&state=bac53761774350de40745d20623c9f3e

Invalid token.

Type request_authentication_token
URI : /wp-admin/admin-ajax.php?action=openid-connect-authorize&code=&state=bac53761774350de40745d20623c9f3e

https://github.com/login/oauth/access_token

Type ssl-bypass-warning
URI : /wp-admin/admin-ajax.php?action=openid-connect-authorize&code=&state=bac53761774350de40745d20623c9f3e

SSL verification disabled - ONLY for development. NEVER use in production!

I'm not sure what I'm missing here. I would otherwise suspect it has to do with it being in a local environment, or that I'm using a vhost (localhost -> my-site.local) but all redirects otherwise seem to be working correctly.

Any insights from the developers or community who have also gotten this working with GitHub and/or a local environment would be greatly appreciated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions