Hi, I am building a React SPA with Typescript using the okta-auth-js package and I am creating a custom account creation, login, and password recovery pages. In the Admin Console, I have it set so that the following authenticators are being used for this app:
- Email - Authentication and Recovery
- Password - Authentication
- Okta Verify - Authentication and Recovery (Push Recovery Only)
For enrollment, it is using a default policy for the everyone group with authenticator:
- Password - Required
- Okta Verify - Optional
- Email - Disabled
My application uses a Authentication Policy where it must authenticate with a password and Okta Verify.
I have self-service enrollment working as my account creation flow seems to be working. I am receiving a verification code via email and after entering, the user is prompted to scan a QR Code onto the Okta Verify mobile app and can successfully login after that is done. This is done both using a verification code input field after making the submission or through an email callback URL I set on the application in the Admin Console.
However, I am noticing a strange behavior when going through the Recover Password flow. In both scenarios of inputting a verification code or through a custom page routed via the email callback URL I set in the Admin Console, I am able to set a password and call:
const transaction = await oktaAuth.idx.proceed({ password: 'someNewPassword' })
I expected to receive a SUCCESS status, but received PENDING instead along with a push notification from Okta Verify. What’s strange for me is that I can ignore the push notification and PENDING status and continue with logging into the application afterwards by navigating back to my login page.
My code is similar to that of the example from the official documentation found here:
I am confused as to why it triggers a push notification automatically since I don’t have anything code wise to perform that action compared to my login code so I can’t really capture and poll for a status after the MFA response. In my transaction object after submitting a new password, I am getting the nextStep with the name of ‘select-authenticator-authenticate’ with the only input being ‘okta_verify’. In the ‘availableSteps’ property, there is ‘challenge-poll’ step, but trying to call:
const transaction = await oktaAuth.idx.proceed({ step: 'challenge-poll' })
seems to go back to where the nextStep is ‘select-authenticator-authenticate’. If I attempt to proceed with that step, it just leads to a recursion where I am indefinitely going to the ‘select-authenticator-authenticate’ step and just MFA bomb my phone. Not sure if it’s related to just having Okta Verify set to my Authenticator or Enrollment Policy, but just wondering what I need to do after submitting a password to handle the push notification?