Getting 400 Bad Request when integrating OIN app

Questions OAuth/OIDC
1

I had submitted an OIDC SPA i created at my dev-75139973 through the OIN submission to be available in the app catalog. I had another dev org dev-266224 where i asked support to make it available in that org for testing. I ‘Add integration’ the SPA from app catalog and got a unique client id for the app.

I am trying to use the app as SSO for testing in a simple web application. This is the auth flow in my source code: oktaConfig = {
clientId: ‘unique-clientid-from-integration’,
issuer: ‘https://dev-75139973.com/oauth2/default’,
// issuer: ‘https://dev-266224.okta.com/oauth2/default’,
redirectUri: window.location.origin,
scope: ‘openid profile email’,
responseType: [‘code’],
};

I was not sure which issuer i was supposed to use but both does not seem to work. When i use dev-75139973, i get 400 Bad Request. But when i use dev-266224, i get bad request 400 Error: The ‘redirect_uri’ parameter must be a Login redirect URI in the client app settings. Because the app is integrated from the app catalog, i cannot edit to include my redirect uri.

Note, i configured a custom url for dev-75139973 so the user will see that url rather than dev-75139973.

2

The issuer for an OIDC app in the OIN should be just the Okta Domain. That will ensure that the Org Authorization Server is used. The Default auth server will not work for OIN apps.

What had you set as the redirect_uri for the app when you made your OIN submission? Did you indicate that it would vary per tenant, as noted here: Submit an SSO integration | Okta Developer?

3

It turned out to be this dev org dev-266224 for the issuer. As for the redirect uri issue, i had to specify the uri on the Sign on tab in okta Application.

I run into another error when trying to register an account. Per this screenshot. Why do i get this error for this dev org dev-266224?

Screenshot 2023-11-30 at 10.47.09 AM
Screenshot 2023-11-30 at 10.47.09 AM2624×992 254 KB

4

Are you able to see a request that errored out in the Network tab?

5

The network tab looks like this:

Screenshot 2023-11-30 at 4.16.19 PM
Screenshot 2023-11-30 at 4.16.19 PM2188×848 96.8 KB

6

How did you wind up on this route? Did you navigate their directly, or did you follow the Sign Up link from the initial login page?

Do you see the same behavior in all browsers?

7

I followed the Sign Up line from the initial login page. Yes, this happens on all browsers, and it’s only for that dev org.

8

What attributes have you set as required for Self-Service Registration in your org? Do you have any custom atributes set to required? Are all fields set to required configured as READ-WRITE in Profile Editor (to ensure that end-users are allowed to populate these values themselves)

9

This is an old dev org owned by a previous developer and i believe they had custom attributes set. I created a new dev org to use for my test apps. Account registration works for that one.

10

You’ll want to look into how those custom attributes are configured and see if removing them from the registration flow/form or changing how those attributes are configured in Profile Editor resolves the issue in that org. You can review the attributes shown in registration and if they are marked required by navigating to Directory → Self-Service Registration

Screenshot 2023-12-04 at 11.16.11 AM
Screenshot 2023-12-04 at 11.16.11 AM1594×912 78.6 KB