Missing authentication code on idpDiscovery login

mathieuv · September 28, 2020, 5:00pm

Hello,

I am currently experimenting with the Okta widget to integrate in a React SPA. I am using the samples-js-react/custom-login at master · okta/samples-js-react · GitHub project for my tests. It works with email+password. However when connecting via an external Identity Provider, Okta doesn’t return an authentication code.
I am properly redirected to the Identity Provider, the authentication is validated (The events show success in the System Log), but the redirection to the route /implicit/callback does not contain the authentication code. Instead, Okta redirects to http://localhost:3000/implicit/callback?fromLogin=true, so the authentication process doesn’t complete.

The OktaSignIn configuration:

{
      baseUrl,
      clientId,
      redirectUri: 'http://localhost:3000/implicit/callback',
      features: {
        idpDiscovery: true
      },
      idpDiscovery: {
        requestContext: 'http://localhost:3000/implicit/callback'
      },
      authParams: {
        pkce: true,
        issuer,
        display: 'page',
        responseMode: 'query',
        scopes: ['openid'],
      },

This topic seems to have the same symptoms Okta sign-in widget does not complete sign-in after authentication with IDP Was any solution found for this issue?

Thanks,

mathieuv

andrea · September 28, 2020, 11:04pm

When users log in through an external IDP, the authorize call will not be made and by default they will wind up on their Okta dashboard if you do not set a requestContext. Setting the requestContext to the callback route means login will not occur because, like I said, the authorize call was never made in the first place and the callback route has no authorization code with which to exchange for tokens. So, instead of setting the requestContext to the callback route, you will want to instead redirect to a route that is able to make the authorize call for the user once they are authenticated with Okta.

One way to handle this is to redirect the user to your main or login page, with logic on that page that will make a silent authorize call (AuthJS’ getWithoutPrompt can do this for you without redirecting the user again) if the user has an existing Okta session (instead of loading the widget).

mathieuv · September 30, 2020, 4:13pm

Thank you for the reply, it was exactly what I needed (although I used getWithRedirect to not rely on 3rd party cookies.

system · October 16, 2020, 2:49pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.