Submit Feedback
Knowledge Base
Published Sep. 22, 2025

Troubleshooting Missing OpenID Connect Login Option and OIDC "not requested or was removed" Errors

Written By

Redwan Hilali

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Issue

  • The OpenID Connect option doesn’t appear in the Sign In (login) portlet; or, starting OIDC returns an “OpenID Connect was not requested or was removed” error.

Environment

  • Liferay DXP Quarterly Release: 2024.Q1+

Resolution

If the Open ID connect button is not displayed in the login widget, there is likely a misconfigured OpenID Connect setting or an issue at the network level (as Liferay needs access to the Discovery URL to validate your OIDC provider). To debug this, follow these steps:

  1. Enable OIDC debug logs:
    • Set the log level of com.liferay.portal.security.sso.openid.connect to DEBUG. See Configuring Logging for relevant steps.
  2. Verify OIDC is enabled:
    • Navigate to Global Menu (Global Menu) → Control PanelInstance SettingsSecuritySSOOpenID Connect, ensure the Enabled checkbox is selected, and click Save
  3. Verify at least one provider is configured:
    • Check the following two locations, adding a provider if needed:
      • Global Menu (Global Menu) → Control Panel → Security → OAuth Client Administrationor
      • Global Menu (Global Menu) → Control Panel  Instance SettingsSecuritySSOOpenID Connect Provider Connection

If the issue is still present: 

  1. Observe the generated Liferay logs and review for any errors or warnings related to OpenID Connect.

  2. Ensure all proper attributes are set in the Discovery URL: 

    • For example, verify the
      • Subject Types (public/pairwise)
      • Response Type
      • ID Token Signing Algs (e.g., RS256), and
      • Endpoints (authorize/token/userinfo/JWKS)

    • If any attributes are missing from the Discovery URL, provide them in the Custom Object through OAuth Client Administration.

  3. Manually Test the Provider: 

    1. Trigger the following URL from your browser, appending it to your site domain: /home/-/login/openid_connect_request?p_p_state=maximized&_com_liferay_login_web_portlet_LoginPortlet_saveLastPath=false&_com_liferay_login_web_portlet_LoginPortlet_redirect=/&_com_liferay_login_web_portlet_LoginPortlet_OPEN_ID_CONNECT_PROVIDER_NAME=<EXACT_PROVIDER_NAME>
      • Make sure to replace <EXACT_PROVIDER_NAME> with the exact name of your provider.
    2. If everything is set properly, this should work as expected and redirect to your SSO.
    3. If there is instead an issue in the Discovery URL or Auth Request attribute, information about it should be displayed in the Liferay logs.
      • For example, Logs mentioning missing "supported_subject_types" suggest that this attribute needs to be added to your Liferay OIDC configurations via OAuth Client Administration.
Did this article resolve your issue ?
Knowledge Base
Did this article resolve your issue ?