After ADC is upgraded from 12.1 to 13.0, the user keeps getting "Cannot Complete Your Request" when attempting to access resources through ADC with Oauth authentication.
As a comparison, there is no issue accessing StoreFront directly in the intranet without Oauth.

add authentication OAuthAction xxxx -OAuthType GENERIC -authorizationEndpoint "http://xxxxxx"" -tokenEndpoint "http://xxxxx"" -clientID xxx -clientSecret XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2023_03_17_08_16_15 -refreshInterval 1440 -userNameField MAIL -skewTime 5 -UserInfoURL "http://xxxxxxx"" -grantType CODE -authentication ENABLED -introspectURL "http://xxxxxx"" -allowedAlgorithms HS256 RS256 RS512 -PKCE ENABLED -tokenEndpointAuthMethod client_secret_post

Problem Cause

To debug the error, we need to have WireShark network trace captured from NetScaler + StoreFront in both normal (Successful Oauth login) and abnormal (Unsuccessful Oauth login) scenarios.

In the successful login, StoreFront receives the correct Citrix AG Username:

In the unsuccessful scenario, NetScaler cannot obtain the correct username from Oauth so NetScaler submits it as an anonymous user to the backend Storefront.


The root cause is that in NetScaler's newer builds like 13.0-89.7, there is a change related to RFC which the access tokens must be validated with the introspectURL before contacting userInfoURL.
If the introspectURL in the Oauth Action is not configured, NetScaler is not able to send requests to userInfoURL resulting in NetScaler's failure of getting the user information.