Okta login on Android, using webview is failing

I am trying to integrate okta login on Android, using webview.

The html page contains the okta signin widget. The html page url is loaded on the Android webview.

The authentication fails with the message
“This application is restricted to authorized devices. Be sure that the device you are using has disk encryption, the latest security updates, a modern OS, biometric or passcode protection, and that you are properly assigned the resource you are attempting to access.”

Devicetrust settings is turned ON in the dashboard by the admin.

Any leads on what I am missing?

The payload at okta dashboard is as follows
{
“actor”: {
“id”: “00unsXXXXXXXXX”,
“type”: “User”,
“alternateId”: “XXXX@XXXX.com”,
“displayName”: “JaXX XXX”,
“detailEntry”: null},
“client”: {
“userAgent”: {
“rawUserAgent”: “Mozilla/5.0 (Linux; Android 14; SM-X210 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Safari/537.36”,
“os”: “Android”,
“browser”: “CHROME”},
“zone”: “null”,
“device”: “Mobile”,
“id”: null,
“ipAddress”: “12.XXX.XXX.XX”,
“geographicalContext”: {
“city”: “XXXX XXXX”,
“state”: “XXXXX”,
“country”: “United States”,
“postalCode”: “XXXXX”,
“geolocation”: {
“lat”: XX.XXXX,
“lon”: -XX.XXXX
}
}
},
“device”: null,
“authenticationContext”: {
“authenticationProvider”: null,
“credentialProvider”: null,
“credentialType”: null,
“issuer”: null,
“interface”: null,
“authenticationStep”: 0,
“rootSessionId”: “XXXXXXXXX_7TZKEPZx3MTq-Rw”,
“externalSessionId”: " XXXXXXXXX_7TZKEPZx3MTq-Rw"
},
“displayMessage”: “Evaluation of sign-on policy”,
“eventType”: “policy.evaluate_sign_on”,
“outcome”: {
“result”: “DENY”,
“reason”: “Sign-on policy evaluation resulted in DENIED”
},
“published”: “2024-09-12T21:35:24.224Z”,
“securityContext”: {
“asNumber”: XXXX,
“asOrg”: “XXXXX corporation”,
“isp”: “XXX services inc”,
“domain”: “XXXXX.com”,
“isProxy”: false
},
“severity”: “INFO”,
“debugContext”: {
“debugData”: {
“authnRequestId”: “XXXXXXXXX”,
“oktaUserAgentExtended”: “okta-auth-js/7.7.0 okta-signin-widget-7.21.2”,
“requestId”: " XXXXXXXXX",
“dtHash”: " XXXXXXXXX",
“requestUri”: “/idp/idx/authenticators/poll/cancel”,
“threatSuspected”: “false”,
“url”: “/idp/idx/authenticators/poll/cancel?”,
“logOnlySecurityData”: “{"risk":{"reasons":"Anomalous Device","level":"MEDIUM"},"behaviors":{"New Geo-Location":"NEGATIVE","New Device":"POSITIVE","New IP":"NEGATIVE","New State":"NEGATIVE","New Country":"NEGATIVE","Velocity":"NEGATIVE","New City":"NEGATIVE"}}”
}
},
“legacyEventType”: null,
“transaction”: {
“type”: “WEB”,
“id”: " XXXXXXXXX",
“detail”: {}
},
“uuid”: " XXXXXXXXX",
“version”: “0”,
“request”: {
“ipChain”: [
{
“ip”: “XX.XXX.XXX.XX”,
“geographicalContext”: {
“city”: “XXXX XXXX”,
“state”: “XXXX”,
“country”: “United States”,
“postalCode”: “XXXXX”,
“geolocation”: {
“lat”: XX.XXXX,
“lon”: -XX.XXXX
}
},
“version”: “V4”,
“source”: null
}
]
},
“target”: [
{
“id”: " XXXXXXXXX ",
“type”: “AppInstance”,
“alternateId”: “XXXX”,
“displayName”: “XXXX”,
“detailEntry”: {
“signOnModeType”: “SAML_2_0”,
“signOnModeEvaluationResult”: “DENIED”
}
},
{
“id”: " XXXXXXXXX ",
“type”: “Rule”,
“alternateId”: “unknown”,
“displayName”: “Catch-all Rule”,
“detailEntry”: {
“policyRuleFactorMode”: “2FA”
}
}
]
}

Code within html page is as below

Android webview code
webView.settings.javaScriptEnabled = true
webView.settings.domStorageEnabled = true
webView.settings.allowFileAccess = true
webView.settings.allowContentAccess = true
CookieManager.getInstance().removeAllCookies(null)
webView.addJavascriptInterface(
LoadListener(findNavController(), activity as BaseActivity),
“androidClient”
)
setupWebClient()
webView.clearCache(true)
webView.loadUrl(url)

Hi there, the error seems to be something that would be thrown if you have some device management setup from your corporate/company. Are you testing this on a company managed device OR your own personal device?

On a company managed device.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.