Based on your screenshot you are running a Virtuoso 08.02.3309 build from Oct 2018 ( and associated VAL VAD 2.2.2_git161 version), which is very old and there have been a number of VAL and other related fixes in the latest Virtuoso 08.03.3329 Release Sept 2023 build you would most probably benefit from and would recommend upgrading to.
The fix we supplied to you in Oct’22 was integrated into our production VAL VAD shortly afterwards. Below is an extract from the current VAD.
procedure VAL.DBA.oauth_token (
-- A scope request parameter is not required for authorization code grant.
-- An OpenAM Authorization Server returns an error if a redundant scope parameter is supplied
-- with an access token request and Authorization Code Grant is used.
-- See: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
-- if (not isnull (scope))
-- params := params || sprintf ('&scope=%U', scope);
Please check your VAL VAD is up to date. If you still get an error when verifying the identity provider binding, we will need more detailed information to isolate the cause.
To get a detailed Virtuoso console trace showing OAuth/OIDC calls, issue this command before verifying the binding: registry_set ('__debug_oauth2.0', '1');
Afterwards, to turn the OAuth diagnostics off, issue registry_remove('__debug_oauth2.0');
Please provide us with a Virtuoso console trace and a browser trace showing the network calls.
create procedure DB.DBA.app_reg_verify_success (
in url varchar,
in params any,
in service varchar,
in serviceId varchar,
in profileData any,
in oauthData any,
in oauthSid varchar)
if ((registry_get ('__debug_oauth1.0') = '1') or (registry_get ('__debug_oauth2.0') = '1'))
dbg_obj_princ ('DB.DBA.app_reg_verify_success (', url, params, service, serviceId, ')');
declare _key, _secret varchar;
declare exit handler for not found
return sprintf ('%s&v=no', url);
update OAUTH.DBA.APP_REG set A_VERIFIED = 1 where A_NAME = service;
select A_KEY, A_SECRET into _key, _secret from OAUTH.DBA.APP_REG where A_NAME = service;
return sprintf ('%s&v=yes', url);
There’s not enough information in your previous posts for me to understand what’s going wrong. Please provide the traces I’ve asked for.
Using Chrome’s Dev Tools, you can dump the browser trace of the network requests to a .har file using the highlighted menu item in the screenshot below. You can then edit the .har file to remove any confidential information before sending it to us with the Virtuoso console output.
I’ve received the .har file you emailed, thanks. The OAuth callback URL you’ve specified in the OAuth binding looks odd - http://IP:8890/val/api/thirdparty_callback. This should be an https endpoint, not http. Please also provide a Virtuoso console trace.