Troubleshoot Connected Apps - Direct Trust
When embedded content fails to display in your custom application or Tableau REST API authorization fails, you can use a browser’s developer tools to inspect and identify error codes that might be associated with the Tableau connected app that’s used to display the embedded content.
Note: In order for the session token to be valid, the clocks of the external application and the server that hosts the external application must be set to Coordinated Universal Time (UTC). If either clock uses a different standard, the connected app will not be trusted.
Refer to the table below to review the description of the error code and potential resolution.
| Error code | Summary | Description | Potential resolution or explanation |
| 5 | SYSTEM_USER_NOT_FOUND | Tableau user could not be found |
sub' (Subject) claim value in the JWT is "username" for Tableau Server. This value is case sensitive. |
| 16 | LOGIN_FAILED | Login failed | This error is typically caused by one of the following claim issues in the JWT:
|
| 67 | FEATURE_NOT_ENABLED | On-demand access is not supported | On-demand access is available through licensed Tableau Cloud sites only. |
| 126 | CONNECTED_APP_NOT_FOUND | The connected app could not be found | To resolve this issue, verify the connected app is enabled and the correct client ID (also known as the connect app ID) is referenced in the JWT. |
| 127 | CONNECTED_APP_SECRET_NOT_FOUND | The connected app's secret could not be found | To resolve this issue, verify the correct connected app's secret ID and secret value are referenced in the JWT. |
| 128 | CONNECTED_APP_SECRET_LIMIT_EXCEEDED | Maximum limit for secrets has been reached | A maximum of two secrets are allowed for a connected app. This error can occur when there's an attempt to create a third secret.
To resolve this issue, delete a secret from the connected app before creating a new one. |
| 133 | INVALID_CONNECTED_APP_DOMAIN_SAFELIST | Domain allowlist contains one or more invalid characters | This error can occur when the domain allowlist contains one or more invalid characters. |
| 10083 | BAD_JWT | JWT header contains issues | The 'kid' (Secret ID) or 'clientId' (Issuer) claims are missing from the JWT header. To resolve this issue, ensure this information is included.
|
| 10084 | JWT_PARSE_ERROR | JWT contains issues | To resolve this issue, verify the following:
|
| 10085 | COULD_NOT_FETCH_JWT_KEYS | JWT could not find keys | Could not find the secret.
To resolve this issue, verify the correct 'kid' (Secret ID) is used in the JWT header. |
| 10087 | BLOCKLISTED_JWS_ALGORITHM_USED_TO_SIGN | Issue with the JWT signing algorithm | To resolve the issue, you can remove the signing algorithm. For more information, see vizportal.oauth.external_authorization_server.blocklisted_jws_algorithms. |
| 10089 | CONNECTED_APP_NOT_FOUND | Could not find connected app | To resolve this issue, ensure the issuer is calling the correct connected app ID (also known as the client ID). |
| 10090 | CONNECTED_APP_DISABLED | Connected app is disabled | The connected app used to verify trust is disabled. To resolve this issue, enable the connected app. |
| 10091 | JTI_ALREADY_USED | Unique JWT required | The JWT has already been used in the authentication process. To resolve this issue, a new JWT must be generated. |
| 10092 | NOT_IN_DOMAIN_ALLOW_LIST | Domain of the embedded content is not specified | To resolve this issue, ensure the unrestrictedEmbedding setting is set to true or domainAllowlist parameter includes the domains where Tableau content is embedded using the Update Embedding Settings for Site(Link opens in a new window) method in the Tableau REST API. |
| 10094 | MISSING_REQUIRED_JTI | Missing JWT ID | To resolve this issue, verify the 'jti' (JWT ID) is included in the JWT. |
| 10096 | JWT_EXPIRATION_EXCEEDS_CONFIGURED_EXPIRATION_PERIOD | Issue with expiration time |
exp' (Expiration Time) exceeds the default maximum validity period. To resolve this issue, review registered claims(Link opens in a new window) required for a valid JWT and ensure the correct value is used. To change the maximum validity period, you can use the vizportal.oauth.external_authorization_server.max_expiration_period_in_minutes command. |
| 10097 | SCOPES_MALFORMED | Issues with scopes claim | This error can occur when the 'scp' (Scope) claim is either missing from the JWT or not passed as a list type. To resolve this issue, verify 'scp' is included in the JWT and passed as a list type. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site. |
| 10098 | JWT_UNSIGNED_OR_ENCRYPTED | JWT is unsigned or encrypted | Tableau does not support an unsigned or encrypted JWT. |
| 10099 | SCOPES_MISSING_IN_JWT | Missing scopes claim | The JWT is missing the required 'scp' (scope) claim. To resolve this issue, verify 'scp' is included in the JWT. For troubleshooting help with a JWT, see Debugger(Link opens in a new window) on the auth0 site. |
| 10100 | JTI_PERSISTENCE_FAILED | Unexpected JWT ID error | There was an unexpected 'jti' (JWT ID) error. To resolve this issue, a new JWT with a new 'jti' must be generated. |
| 10103 | JWT_MAX_SIZE_EXCEEDED | JWT exceeds maximum size | This error can occur when JWT size exceeds 8000 bytes. To resolve this issue, make sure that only the necessary claims are being passed to Tableau Server. |
| 10105 | ORIGIN_HEADER_NOT_A_VALID_URI | Invalid Origin header | This error can occur because 1) a URL is specified in the domain allowlist and 2) the Origin header does not contain a valid URL. |