Error 400 only on initial login

I have an Angular app that is authenticating with an Okta org auth server. Running into an odd issue where I get an error 400 during the redirect only when a user first logs in and creates their profile, after they select a security image.

There is no additional info shown about the error, just “400 Bad Request - Your request resulted in an error” then a “Go to homepage” button that properly takes the user back to the app (logged in) when clicked.

The redirect URI is set to the Angular callback route and works perfectly for any subsequent time after that initial login/select photo, making this even more difficult to debug.

The request URL giving the 400 is https://[instance].okta.com/oauth2/v1/authorize/redirect?okta_key=[key],/login/login.htm?fromURI=%2Foauth2%2Fv1%2Fauthorize%2Fredirect%3Fokta_key%[key]

Has anyone else seen this? Is there some way I can get more info about what is causing this error?

Hi @cddev10

When this error occurs, can you please save the x-okta-request-id header from the response headers received from Okta and provide it here? This is a fingerprint of the request and it will help in narrowing down the cause of the error.

Hi @dragos, I am seeing the following:
x-okta-request-id XxIRYwjfjORNkefP5MCdhwAABoU

Hi @cddev10

Based on the request ID, I can see that the request to the endpoint is the following

 "GET /oauth2/v1/authorize/redirect?okta_key=rCACCvHnbxo_SKkkWlSmFx6xezjw7ZtowOJmfStRpLM,/login/login.htm?fromURI=%2Foauth2%2Fv1%2Fauthorize%2Fredirect%3Fokta_key%3DrCACCvHnbxo_SKkkWlSmFx6xezjw7ZtowOJmfStRpLM HTTP/1.1"

In the request you can see a comma and another URL concatenated to it. Do you have any logic inside the application to perform this concatenation?

I see what you mean. I am not aware of any logic within the application that would be performing this concatenation. It seems related to the welcome page, since the only time I have seen this issue is after the welcome page is shown. Is there some other redirect setting for the welcome page that could be responsible for this?

Hi @cddev10

Can you please retrieve a HAR file with the exact authentication and authorization steps to generate this error and open a support ticket with us through an email to support@okta.com?

We would need to check this further together with one of our Support Engineers to see exactly what is the cause of this concatenation.

Is there any way I can clear the security image for a user that has gone through the setup process so I can reproduce the issue?