Error 400 bad request

In my web applcation i’ ve integrated the okta widget.
Login works correctly and in the dashboard I can see my user authenticated, but the redirect page doesn’t work .
I receive this message:

400 bad request

Provider di identità: Unknown
Codice errore: invalid_request
Descrizione: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

Thank for your help!!


I assume that you have created a “Web Application” in Okta developer console.

While creating the app, you need to provide “Login redirect URIs” which should be the same as the redirect page.
You can update your existing app in okta, to use your redirect URI.

Once you do that, you should be able to redirect back to the page after authentication.

Dear vijet,

first of all thanks for your help.
Your assume is correct I have created a Web application, I also set up the redirect URI (you can check that the page works)

When I test the login I sow the user authenticated in the dashboard, but the redirect didn’t work. :frowning_face:

this is a screenshot of the complete error

1 Like

There are couple more things you might want to check -

  1. Have you updated the widget code to redirect to your landing page like this -

    if (res.status === 'SUCCESS') { res.session.setCookieAndRedirect(redirectUrl); }

  2. Have you added your redirect url to the Trusted Origins section in Okta dashboard?

Follow the section “Adding a Redirect” on this page -

Looking at your error, I’m pretty sure, the redirect URL is not added in the Trusted Origins section in your okta org configuration. This is an application specific configuration which you should be able to access from the okta dashboard.

This is a redirect error, it probably isn’t the Trusted Origins.

If I had to make a bet, either the Widget isn’t specifying the clientId, or the redirect URL is incorrect.

Mind sharing your widget code?


Hi to all,

this is my code

I verified that the client ID is correct

furthemore I’ve implemented another login page based on the login page that can be found at this URL
and it is work!!
The first login page (it doesn’t wotk) is based on the page that can be found at thi URL

thanks for your help!!!

this is my script

only a clarification the first login page works, it authenticate me! Only the redirect doesn’t work, as I wrote before the dashboard trace the succefull login

I notice from your code that you’re not setting the redirectUri in the widget configuration.
You should have something like this -

var signIn = new OktaSignIn({
  baseUrl: '',
  clientId: '{{myClientId}}',
  redirectUri: '{{redirectUri configured in OIDC app}}',
  authParams: {
    responseType: 'token id_token',
    // `display: page` will initiate the OAuth2 page redirect flow
    display: 'page'

Reference -

Dear all,

after I added

redirectUri: ‘{{redirectUri configured in OIDC app}}’,

it works!

I received the following cookie


Now I have a problem with the httpfilter but this is another topic!

I want to thank you for your help!!!

1 Like

Only a question: the cookie that I receive after a succeffully authentication is the Access token?

No, that’s not the access token.
In your code you’re getting the access token inside oktaSignIn.token.parseTokensFromUrl block, specifically the line var accessToken = res[0]

Ok this isn’t the access token.
is it the authorization code?
After the login I have two cookies

okta-oauth-nonce value:o95529BqQ6PObv9zi6LQQiq0hDSGIwRiAnC6rd5n5uFC41rrLRt2bbffCPgAtQPL
okta-oauth-state value:yPcLFX75BB88H6aOO0HRkAoL1FuVXch9WzhXc3DGMDjYRGP8SPEtnvtefdcNs5Q7

If I understand to retrieve information about authenticated user I will:

Exchange the returned authorization code for an id_token and/or access_token (something like the code below)

It is not the authorization code either.
These cookies are OIDC specific values that are used to mitigate Cross-Site Request Forgery (CSRF, XSRF) & replay attacks. You need not worry about them, as they’re verified by the widget.
If you’re interested, read this -

Coming back to your other question.
You don’t need to exchange authorization code for token(s) because you have specified responseType as token, id_token, which means you directly get back the tokens in the redirect URL. This is the implicit flow.
The one where you would exchange code for token is the authorization code flow.

Looking at your earlier code you posted, you are using the implicit flow, which doesn’t need any token exchange.

So now i am now able to retrieve id token and get information about user ? Could you give me an url with the code that describe how to retrieve user information? Thanks a lot for your help

The information about the user is embedded within the id_token.
To request more information about the user, you use pass the following scope values in your params -
authParams: { scopes: ['openid', 'email', 'profile', 'address', 'phone'] }

And once you get back your id_token, you can access the user information using the claims in the token.

For a set of standard claims in the id_token, you can refer to

Let me know if this works.

Ok i understand last question i promise Could you give me an url with example code that describe how to retrieve id token?

1 Like

It is already in the script that you pasted before :slight_smile:
Look for the line var idToken = res[0] in the code below

I understand that this is confusing as there are different ways in which you can accomplish the same thing.
Suggested reading -

I’m goig to read the authentication guide,but my question was if there is an example in java . The code above is javascript