AW: Exception unwrapping data: Tag mismatch! in "Profile Action ValidateGrant"

Bergmann, Clemens clemens.bergmann at
Fri Apr 8 21:37:10 UTC 2022

Hi Scott,

thanks for the quick reply. Unfortunately I just checked and the code leaving the idp is the same that also returns on the token endpoint.

One other noteworthy information is that the Idp is setup as a loadbalanced pair. Could it be a problem if Authorization Endpoint and Token Endpoint are served by different IdPs? Both are configured exactly the same.

Viele Grüße
Clemens (Bergmann)
Clemens Bergmann
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64289 Darmstadt
Tel. +49 6151 16 71184

> -----Ursprüngliche Nachricht-----
> Von: users <users-bounces at> Im Auftrag von Cantor, Scott
> via users
> Gesendet: Freitag, 8. April 2022 17:47
> An: Shib Users <users at>
> Cc: Cantor, Scott <cantor.2 at>
> Betreff: Re: Exception unwrapping data: Tag mismatch! in "Profile Action
> ValidateGrant"
> >    I unfortunately only sometimes get an “Exception unwrapping data: Tag
> mismatch!” when an oidc-rp tries to
> > get the access token in the Authorization Code Flow.
> That client is mishandling the code then, it's changing something in the data.
> >    I traced the problem down to [1] but could not find out where to increase
> debugging to show me what
> >  exactly is wrong with the data that should be unwrapped.
> Wouldn't tell you anything more, it's a decryption failure because the data
> has been modified.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-
> unsubscribe at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6377 bytes
Desc: not available
URL: <>

More information about the users mailing list