Okta React Sign-In Widget with MFA

To start, I’m using the sign-in widget with a pkce, authorization code flow. There’s a backend hitting ancustom authorization server with the auth token as well.

When I first started using the sign-in widget, I had my authParams object with the pkce: true as the only field. Under this setup, the sign-in widget would take in user credentials and then display the MFA push notification, all in-application.

Under my new setup:
authParams: {
issuer: ‘default’,
pkce: true,
scopes: [‘openid’, ‘email’],
responseType: ‘code’,
grantType: ‘authorization_code’,
},

the sign-in widget now redirects to an Okta-hosted page displaying the push notification button.
I’m wondering why this changed, and how I can get the sign-in widget to show all authentication steps, rather than redirecting to the Okta-hosted page.

1 Like

Hi @chapman.nate

Is the MFA on authentication level or application level?

This is on an authentication level (I believe). I have some MFA rules set for authentication in our admin page for the application.

I’m experiencing this same issue. The React sign in widget is sending me to my Okta org’s sign in page for the MFA challenge rather than displaying it in the widget. This is important to our workflow. Is there any update on what’s going on here?

My widget configuration is much simpler: no pkce or anything like that. We have an org group that requires MFA on login, so the issue is happening at the org authentication level.

So after some back and forth with the developers, it sounds like this feature is currently unavailable.

Oh, well that seems super less-than-ideal. Did they happen to mention why that is or if/when it will be making a return? We were sort of counting on this for our rollout.

The response:
I looked into this further and it sounds like this is expected behavior as you are using application-level MFA for the OpenID Connect application. Unfortunately, app-level MFA is incompatible with self-hosted sign in pages, which explains why you are being redirected back to the Okta hosted sign in to complete the process.

I’m curious as to why it worked for you previous, but my guess is that you had an Organization-level Sign On policy in place instead that prompted the user for their factor. One solution to work around this issue would be configuring an org-level MFA to apply to groups assigned your application, a group that you could then use for application assignment.

You may also want to submit a Feature Request for this setup to be supported on the Okta Ideas site, which you can access by logging into your Okta Admin Console, clicking on the link for Help and Support (which takes you to our Support site), and then navigating to Products > Ideas. Once ideas are submitted, other Okta admins will have the ability to vote on them to help our Product team prioritize requests; additionally, you will be able to monitor the potential for future enhancements there.

Thanks, that’s very helpful. I appreciate the info!