Api validation failed: factorActivationRequest

Today 9/11/2019 around 3:23 PST we began receiving E0000001 errors from Okta when sending POST Activate Factor

We are getting back a HTTP 400 with the following error:

{
    "errorCode": "E0000001",
    "errorSummary": "Api validation failed: factorActivationRequest",
    "errorLink": "E0000001",
    "errorId": "<redacted>",
    "errorCauses": [
        {
            "errorSummary": "Factor not allowed for the user based on the Multifactor policy."
        }
    ]
}

I was unable to find any api documentation about this specific error. This has been working for months, and we haven’t touched our auth service in some time, so I’m struggling to understand why this issue is popping up now. Is anyone familiar with with this error?

It might be a change within your environment. Please ensure that the factor is allowed for the user within your tenant

I can fully describe what was happening here, as jjdonov is a coworker of mine.

The gist:

  • We were using the Oktapreview site and the API changed without warning.
  • Our original code attempted to enroll them into the factor (regardless of whether they were already enrolled). Okta would respond back with a specific failure message and we would, upon receiving it, change to validating their response. This would save us a query on every new user, and not cost us anything for existing users (which still requires two queries).

The new API threw a new message and there was no documentation as to what this meant. Digging into Okta makes the error a bit more apparent, but there’s nothing like having documentation.

A couple of disclaimers:

  • I didn’t make the original code and it was definitely bad code. (That said, I have other bad code that can be blamed on me.)
  • Our code has since been amended and is working.
  • Okta should have alerted its customers as to a change in their API.
  • Okta should have also alerted its support staff to the change in their API.

This seems like it was a miss on all fronts, but thanks to some great support staff and some serious code dissection, a solution was found.

Glad you figured it out!