I am trying to integrate okta login on Android, using webview.
The html page contains the okta signin widget. The html page url is loaded on the Android webview.
The authentication fails with the message
“This application is restricted to authorized devices. Be sure that the device you are using has disk encryption, the latest security updates, a modern OS, biometric or passcode protection, and that you are properly assigned the resource you are attempting to access.”
Devicetrust settings is turned ON in the dashboard by the admin.
Any leads on what I am missing?
The payload at okta dashboard is as follows
{
“actor”: {
“id”: “00unsXXXXXXXXX”,
“type”: “User”,
“alternateId”: “XXXX@XXXX.com”,
“displayName”: “JaXX XXX”,
“detailEntry”: null},
“client”: {
“userAgent”: {
“rawUserAgent”: “Mozilla/5.0 (Linux; Android 14; SM-X210 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Safari/537.36”,
“os”: “Android”,
“browser”: “CHROME”},
“zone”: “null”,
“device”: “Mobile”,
“id”: null,
“ipAddress”: “12.XXX.XXX.XX”,
“geographicalContext”: {
“city”: “XXXX XXXX”,
“state”: “XXXXX”,
“country”: “United States”,
“postalCode”: “XXXXX”,
“geolocation”: {
“lat”: XX.XXXX,
“lon”: -XX.XXXX
}
}
},
“device”: null,
“authenticationContext”: {
“authenticationProvider”: null,
“credentialProvider”: null,
“credentialType”: null,
“issuer”: null,
“interface”: null,
“authenticationStep”: 0,
“rootSessionId”: “XXXXXXXXX_7TZKEPZx3MTq-Rw”,
“externalSessionId”: " XXXXXXXXX_7TZKEPZx3MTq-Rw"
},
“displayMessage”: “Evaluation of sign-on policy”,
“eventType”: “policy.evaluate_sign_on”,
“outcome”: {
“result”: “DENY”,
“reason”: “Sign-on policy evaluation resulted in DENIED”
},
“published”: “2024-09-12T21:35:24.224Z”,
“securityContext”: {
“asNumber”: XXXX,
“asOrg”: “XXXXX corporation”,
“isp”: “XXX services inc”,
“domain”: “XXXXX.com”,
“isProxy”: false
},
“severity”: “INFO”,
“debugContext”: {
“debugData”: {
“authnRequestId”: “XXXXXXXXX”,
“oktaUserAgentExtended”: “okta-auth-js/7.7.0 okta-signin-widget-7.21.2”,
“requestId”: " XXXXXXXXX",
“dtHash”: " XXXXXXXXX",
“requestUri”: “/idp/idx/authenticators/poll/cancel”,
“threatSuspected”: “false”,
“url”: “/idp/idx/authenticators/poll/cancel?”,
“logOnlySecurityData”: “{"risk":{"reasons":"Anomalous Device","level":"MEDIUM"},"behaviors":{"New Geo-Location":"NEGATIVE","New Device":"POSITIVE","New IP":"NEGATIVE","New State":"NEGATIVE","New Country":"NEGATIVE","Velocity":"NEGATIVE","New City":"NEGATIVE"}}”
}
},
“legacyEventType”: null,
“transaction”: {
“type”: “WEB”,
“id”: " XXXXXXXXX",
“detail”: {}
},
“uuid”: " XXXXXXXXX",
“version”: “0”,
“request”: {
“ipChain”: [
{
“ip”: “XX.XXX.XXX.XX”,
“geographicalContext”: {
“city”: “XXXX XXXX”,
“state”: “XXXX”,
“country”: “United States”,
“postalCode”: “XXXXX”,
“geolocation”: {
“lat”: XX.XXXX,
“lon”: -XX.XXXX
}
},
“version”: “V4”,
“source”: null
}
]
},
“target”: [
{
“id”: " XXXXXXXXX ",
“type”: “AppInstance”,
“alternateId”: “XXXX”,
“displayName”: “XXXX”,
“detailEntry”: {
“signOnModeType”: “SAML_2_0”,
“signOnModeEvaluationResult”: “DENIED”
}
},
{
“id”: " XXXXXXXXX ",
“type”: “Rule”,
“alternateId”: “unknown”,
“displayName”: “Catch-all Rule”,
“detailEntry”: {
“policyRuleFactorMode”: “2FA”
}
}
]
}
Code within html page is as below
Android webview code
webView.settings.javaScriptEnabled = true
webView.settings.domStorageEnabled = true
webView.settings.allowFileAccess = true
webView.settings.allowContentAccess = true
CookieManager.getInstance().removeAllCookies(null)
webView.addJavascriptInterface(
LoadListener(findNavController(), activity as BaseActivity),
“androidClient”
)
setupWebClient()
webView.clearCache(true)
webView.loadUrl(url)