Has anyone encountered an issue where Single Sign-On (SSO) fails the first time for new users but works on the second attempt with Okta Workforce Identity? We see the okta page for a fraction of a second with this error message:
You are not allowed to access this app. To request access, contact an admin
After retrying, the login works without issues. This seems like a race condition, possibly related to group assignments or provisioning delays. Our setup involves Okta managing user access, and we suspect that the delay in user provisioning or group synchronization might be causing this.
We use the okta-auth-js SDK for reference and implemented a retry mechanism to retrigger registration without user input when we get this error. But how can we fix this? Because the experience is still a bit jarring for new users being prompted by google twice to register on our app.
Operations like Group assignments or Provisioning are by design asynchronous, so the race condition that you see is an expected behaviour. I would suggest adding checks to verify if the group assignment for the user is successful or not before attempting the login
But I don’t understand. I can’t get the user’s email because .getWithRedirect() handles both user provisioning and login within the same call before redirecting me to my callback route. Since the authentication process is managed externally by Okta, I have no way of accessing the user’s identity in between those steps. How am I supposed to perform any checks during this call?