On admin console, admin can test a new AZURE IDP provider connection (SPA).

On Azure side, under authentication, SPA (Single Page Applications) was chosen, not "web" option.

After entering user credentials during the login test from admin console, it hits Azure target ~/oauth2/v2.0/token endpoint.

The response fails with error: "HTTP status code:401 UNAUTHORIZED & status message:Unauthorized for the OpenID Provider : ExampleProviderName".

GKE with k8s v1.30.5

VIP Authentication Hub 3.2.2

Azure's representation of VIP Authentication Hub as an OpenID app was using "public client", hence making Azure expect Authentication Hub as RP to send http origin and not send client secret.

Overly aggressive validation is getting in the way of accepting necessary and sufficient information required by the contract while ignoring what is not being used.

In any case, such "public client" categorization is reserved for those RPs that represent Web SPAs, rather than clients representing security middleware.  

The correct client type to use when registering VIP Authentication Hub as RP in external platform is "confidential client".

1. Customer can choose to reconfigure Azure client back to "web" app instead of "SPA".

2. If SPA (Single Page Applications) option were to be used as a choice on Azure side, then VIP Auth hub should be configured to integrate with an OIDC application in the IDP (Azure) as a confidential client, not a public client.

Integration of the external OIDC Identity provider with VIP AuthHub 3.2.1 version fails

https://knowledge.broadcom.com/external/article?articleNumber=377457