Interact endpoint returning "The activation token is invalid" with widget integration

This integration previously worked perfectly.

We use Signin Widget in our application. When we create users we use a two step process to generate an email:

POST → /api/v1/users?activate=false
POST > /api/v1/users/{user_id}/lifecycle/activate?sendEmail=true

Our Authenticator Enrollment policy (terraform) is as follows:

resource "okta_policy_mfa" "policy_name" {
 ...

  okta_email = {
    enroll = "REQUIRED"
  }

  webauthn = {
    enroll = "REQUIRED"
  }

  ...
}

We have modified the activation email template to point to our application:

https://{our_domain}/init/okta/$${activationToken}

We bootstrap the signin widget like so:

     import { OktaAuth } from '@okta/okta-auth-js';
     import OktaSignIn from '@okta/okta-signin-widget';
      ...
      const activationToken = getActivationTokenFromQueryParams();
      ...

      this.oktaAuth = new OktaAuth({
        ...
        activationToken,
        ...
      });

      this.signIn = new OktaSignIn({
        ...
        authClient: this.oktaAuth,
      });

Previously when the we initialized the widget with the above configuration, the widget would display the authenticator enrollment prompts.

Now the widget displays a message that says:

Something went wrong. Potential misconfiguration detected. Please contact support.

If I inspect the network activity I see a call to the /oauth2/default/v1/interact
endpoint that returns a 400 with the following error response:

{
    "error": "invalid_request",
    "error_description": "The activation token is invalid"
}

I cannot stress enough that this integration worked perfectly in the past… it was 8/3/2023 when we noticed this failure starting.

It is worth mentioning that when we previously had this working, we would only create the user in an activated state which would result in an email. However, on the same day - 8/3/2023, this user creation action no longer resulted in an email being sent and we were told by Okta support that a change had been made requiring the two step process to generate the email.

Hey Joec,

Oh no, the Signin Widget blues are a real downer, especially after it was smooth sailing before! Thanks for laying out the details of your two-step email creation process and the MFA policy setup. Let’s tackle this head-on:

First up, double-check that the activation token you’re grabbing from the query parameters is being smoothly fed into the OktaAuth constructor. It should be done like a pro, you know?

Next, take a good look at the network requests, especially the ones to /oauth2/default/v1/interact. Is the activation token in the request partying right?

Confirm that your activation email template knows the deal. That ${activationToken} placeholder should be flaunting the actual token value.

Peek at your MFA policy config, ensuring that email enrollment is set to “REQUIRED.” Gotta make sure of that!

Lastly, revisit how you’re initializing the Signin Widget. Ensure that your config, especially the OktaAuth part, is set up like a rockstar.

If this pesky issue is still playing hard to get after these checks, spill the beans on any other changes in your setup or share some logs from Okta Admin Console. The more info, the better!

Give me a shout if you’ve got questions or need more assistance I will be available at Triotech Systems. We’ll get that widget dancing again!

Cheers,
Rehes