Okta Next Auth redirect issue

Questions OAuth/OIDC
1

I’m integrating Okta as an OIDC provider in a Next.js (App Router) application using NextAuth.js. My setup is standard: I use the well-known endpoint, client ID/secret, and the recommended scopes (openid email profile). The provider config in NextAuth looks like this:

function createInternalOktaProvider() {
  return {
    id: 'okta-internal',
    name: 'SSO',
    type: 'oauth' as const,
    wellKnown: `${process.env.NEXT_PUBLIC_OKTA_ISSUER!}/.well-known/openid-configuration`,
    authorization: {
      params: {
        scope: 'openid email profile',
      },
    },
    idToken: true,
    clientId: process.env.INTERNAL_OKTA_CLIENT_ID!,
    clientSecret: process.env.INTERNAL_OKTA_CLIENT_SECRET!,
    issuer: process.env.NEXT_PUBLIC_OKTA_ISSUER!,
    profile(profile: OIDCProfile) {
      return {
        id: profile.sub,
        name: profile.name ?? `${profile.given_name || ''}`.trim(),
        email: profile.email || '',
        provider: 'okta-internal',
        environment: 'internal',
      };
    },
  };
}

export const authOptions: NextAuthOptions = {
  providers: [createInternalOktaProvider()],
  session: {
    strategy: 'jwt',
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
  secret: process.env.NEXTAUTH_SECRET,
  pages: {
    signIn: '/auth/signin',
    error: '/auth/error',
  },
  callbacks: {
    async jwt({ token, account, profile }) {
      if (account && profile) {
        const oidcProfile = profile as OIDCProfile & { environment?: string };
        token.id = oidcProfile.sub;
        token.provider = account.provider || 'okta-internal';
        token.environment = oidcProfile.environment || 'internal';
        console.log('JWT Callback - Token');
      }
      return token;
    },
    async session({ session, token }) {
      if (token.id && session.user) {
        session.user.id = token.id;
        session.user.provider = token.provider;
        session.user.environment = token.environment;
        console.log('Session Callback - User logged in:', session.user);
      } else {
        console.log('Session Callback - No user logged in');
      }
      return session;
    },
  },
};

Problem:
When I hit the okta chicklet having the oidc endpoint, it takes me to the (/api/auth/callback/okta-internal) which is authored in okta sign-in redirect config, I get the following error from NextAuth:

OAUTH_CALLBACK_ERROR next auth - error: i: state missing from the response

post this it lands me on the /auth/signin?callbackUrl=https%3A%2F%2Fmy.company.com%2F&error=OAuthCallback

Ideally it should take to sites home page with a logged in user. Am I missing something here?

2

Hi ggoyal,

For IdP initiated OIDC apps there is a little more involved then typically with SAML Apps. The below knowledge article should help with the setup options.

3

Hi, Thanks for your reply!!
I am following the first method where it appends a “iss” param to the URL, but it mentions that the app should construct a authorization request to login. Ideally the next auth callback should auto handle this right?
The second approach also mentions to use the id_token sent in the POST request. Does that mean in both approaches the user needs to be redirected to login screen and will be prompted to enter creds?

4

I don’t believe that is does and you would need to create the handler logic.

Typically with the second approach there would be no need to redirect the user to do another authorize call. Instead the application would take the id_token supplied in the Post Request and login the user in based off of this credential. This requires the application to be able to handle a POST request so is more likely used on server side applications as opposed to client side (browser) applications.