Angular MFA Browser Redirection to Okta Instead of Application MFA

Our organization is setting up a new Angular application using the custom widget from Okta. Because we are using MFA we have used showSignInAndRedirect and handle the redirect once the user authenticates with no issues.

The question I have is that if a user is signing in from a browser that is not in private or incognito mode, the MFA redirect goes to our okta domain i.e. {organization} at which point the user is prompted to enter their code based on their chosen authentication method. However if in private or incognito mode, the user seems to be able to handle the MFA within the application itself i.e. https://{domain}/login and doesn’t redirect to the okta domain to handle MFA. When in private/incognito, we can then use custom designed MFA screens provided by the Okta Widget. We’d like to be able to do the same without being in that browser mode. Is there something missing in our configuration of the signin widget that a private browser enforces but regular browser viewing does not?

Ideally we are hoping that the user can have the ability to enter their MFA codes into the custom designed widget rather than redirecting to the Okta domain after their username and password have been entered for a more seamless experience.

Thanks so much in advance.

I think your choice of showSignInAndRedirect is a valid approach. If your intention is to stay on your app page with the widget, you need to do showSignInToGetTokens. MFA is not a driver for this decision. It can be handled by widget w/o any redirects

After implementing the showSignInToGetTokens I run into the error error.description: The client specified not to prompt, but the client app requires re-authentication or MFA..

Looking at this post - Javascript Okta Sign-In Widget - MFA not properly working - Questions - Okta Developer Community - it seems as my initial assumption was correct based on the comment

Try using showSignInAndRedirect instead of showSignInToGetTokens. A self-hosted widget cannot prompt a user for app-level MFA, they must be redirected to Okta (via the /authorize URL) to get prompted accordingly.

I’m still not understanding though why if the browser is in a private mode the widget MFA is available compared to it redirecting to Okta for MFA auth when not in private mode.

ah, you have a sign-on policy on your app level, I see. Never tried it with widget, honestly.

I’m also bit confused by the behavior your are experiencing. Maybe other folks can chime in?