Okta-auth-js: How to configure proxy for OktaAuth

I’m using the okta-auth-js sdk and I’m wondering how I should configure a proxy for the OktaAuth instance. Here is what I have:

const oktaClient = () => {
  return new OktaAuth.OktaAuth({
    clientId: "...",
    issuer: "...",
    redirectUri: "...",
    pkce: true,
    scopes: [...],
    httpRequestClient: async (method, url, options) => {
      const proxyHost = '...';
      const proxyPort = '...';
      const httpsAgent = tunnel.httpsOverHttp({ proxy: { host: proxyHost, port: proxyPort }, rejectUnathorized: false });
      return await axios.request({
        url: url,
        method: method,
        headers: options.headers,
        httpsAgent: httpsAgent,
        data: options.data,
        withCredentials: options.withCredentials,
        validateStatus: status => {
            return status >= 100 && status <= 599;

I’m using it to perform the following:

const auth = oktaClient()
  let transaction;
  try {
    transaction = await auth.idx.authenticate({
      username: customer.userId,
      password: customer.password
  } catch (error) {

I was prompted to attempt configuring a proxy since I was seeing the following error:
{“name”:“AuthApiError”,“xhr”:{“message”:“request to https://my-auth-server/my-auth-server-id/.well-known/openid-configuration failed, reason: read ECONNRESET”,“type”:“system”,“errno”:“ECONNRESET”,“code”:“ECONNRESET”}}

I’m running this code as an acceptance test in a pipeline presumably on my company’s network. I’m using CodeceptJS and Puppeteer which has its own proxy server configured:


exports.config = {
    tests: "./tests/*_test.js",
    output: "./output",
    helpers: {
        Puppeteer: {
            show: process.env.npm_config_headless || false,
            url: ...,
            timeout: 0,
            chrome: {
                ignoreHTTPSErrors: true,
                args: [

Okta-auth-js SDK is not tested with proxy and may not be secure since you are introducing another over-head client and server, and tunnels may not work if the proxy is not setup at the node or environment level.

The client authentication options (httpsAgent) were mostly used to resolve into promises, which may not work for invalid response types.

Please open a case with developer support at OKTA. Maybe your specific use case requires a bit more insight into what you are trying to achieve.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.