OidcToken.exe always shows NotLoggedIn with the Client Credentials flow, failing to connect to the Cloud DDC.

Masa_Yamakawa · September 17, 2025, 10:26am

(This is a translation of a [Japanese [Content removed] by Nakagawasai Hirotomo.)

I’m using Unreal Engine 5.6.

What I am trying to achieve is to connect to the Cloud DDC via Unreal Editor, and use the build cache.

I configured authentication with the Client Credentials flow using Okta as an IdP. However, currently, both when starting the Unreal Editor and when running OidcToken.exe standalone, I fail the login and can’t use the Cloud DDC.

[Questions]

(1) What configuration is required for OidcToken.exe to use the Client Credentials flow in UE 5.6?

(2) Please see my current environment information below. Are there any missing configurations?

(3) Are there any official sample configuration for using the Cloud DDC which I can use as a reference?

[Environment]

- UE 5.6

- Using Okta as the authentication server with a custom Authorization Server already created.

- Created a scope ddc.access and allowed Client Credentials in the Access Policy

- Confirmed the following command works with curl:

curl -u "&lt;ClientId&gt;:&lt;ClientSecret&gt;" -d "grant_type=client_credentials&amp;scope=ddc.access" "https://&lt;okta-tenant&gt;/oauth2/&lt;auth-server-id&gt;/v1/token"

[OIDC configuration]

I wrote the following in Programs/OidcToken/oidc-configuration.json.

{
 "OidcToken": {
  "Providers": {
   "okta": {
    "Identifier": "okta",
    "DisplayName": "Okta",
    "ServerUri": "https://<okta-tenant>/oauth2/<auth-server-id>",
    "TokenEndpoint": "https://<okta-tenant>/oauth2/<auth-server-id>/v1/token",
    "ClientId": "<ClientId>",
    "ClientSecret": "<ClientSecret>",
    "Scopes": ["ddc.access"]
   }
  }
 }
}

[Logs]

When starting Unreal Editor:

LogDesktopPlatform: Display: Launching OidcToken... [OidcToken.exe --Service="okta-headless" ... --Unattended=true]
LogDesktopPlatform: Warning: Failed to run OidcToken (...). No result file found, closed with exit code: 1
LogDerivedDataCache: Warning: Cloud: OidcToken: Failed to log in to HTTP services.
LogDerivedDataCache: Warning: Cloud: Failed to contact the service (...), will not use it.
LogDerivedDataCache: Unable to find inner node Cloud for hierarchy Hierarchy.

When running OidcToken.exe standalone:

[INF] Determined status of provider okta was NotLoggedIn
[INF] Fetching access token from provider okta
[WRN] Not logged in to provider okta but was running unattended so unable to login
[WRN] Was unable to allocate a token

Masa_Yamakawa · September 17, 2025, 10:27am

再現手順
[Preparation]

With your IdP service (such as Okta), configure so that OIDC authentication can be achieved.

This includes setting up a custom authorization server and allowing the scope.

In both oidc-configuration.json and DefaultEngine.ini, write the information used for OIDC authentication (such as Client ID and scopes) according to the configuration on the IdP service side.

Reproduction 1: Starting Unreal Editor

Start the Unreal Editor and load the project.

The Unreal Editor itself starts, but if you check the logs, you can see that it failed to run OidcToken.exe, and OIDC authentication failed as folllows:

`Failed to run OidcToken (...). No result file found, closed with exit code: 1

Reproduction 2: Running OidcToken.exe directly

Example command:

C:\work\Engine\Binaries\DotNET\OidcToken\win-x64\OidcToken.exe `
 --Service="okta" `
 --Project="C:\work\Games\Sample\Sample.uproject" `
 --OutFile="C:\work\Games\Sample\Intermediate\oidcTokenTest.json"

The following is shown, and the expected behavior does not occur (i.e. the OIDC authentication token is not output to the path specified in OutFile):

[INF] Determined status of provider okta was NotLoggedIn
[INF] Fetching access token from provider okta
[WRN] Not logged in to provider okta but was running unattended so unable to login
[WRN] Was unable to allocate a token

joakim.lindqvist · September 18, 2025, 11:42am

Hey

Unfortunately OidcToken is not intended to be used with client credentials, its supposed to be for interactive user flows (auth_code flows specifically) .

For client credentials flows we usually just configure Horde with these credentials itself, see the “tokens” part of a Horde project definition.

In practice horde will just run the same request as you did with curl and store that generated access token in a environment variable (UE-CloudDataCacheAccessToken) and pass it into the editor that way.

We did it like this so that you could keep the client secret as a secret in Horde or in whichever CI system you use and not have to have it in oidc-configuration.json

Masa_Yamakawa · September 25, 2025, 7:12am

[mention removed]

(This is a translation of a Japanese post by Nakagawasai Hirotomo.)

Sorry for the delayed response.

I now understand that in order to use the Client Credentials flow, the authentication information should be incorporated into Horde.

Thank you very much for your support.

(Please close this thread.)