Environment:
- Okta Identity Engine (OIE)
- Okta Sign-In Widget (embedded mode)
- useClassicEngine: false
- useInteractionCodeFlow: true
Background
We have an embedded Okta Sign-In Widget configured for OIE. We are trying to handle users in PROVISIONED status specifically, users who have signed up, but not completed the full flow.
Expected behavior
When a PROVISIONED user attempts to log in through the widget, we expect the widget to automatically detect the user’s status and transition into the account activation flow, sending a verification code to the user’s email and prompting them to enter it, rather than displaying an error.
Actual behavior
The widget does not redirect into any activation flow. Instead, the user receives an error message and is unable to proceed. No activation email is sent.
const config = {
issuer: ‘https:///oauth2/default’,
clientId: ‘’,
redirectUri: ‘’,
useClassicEngine: false,
useInteractionCodeFlow: true,
features: {
registration: false,
},
}
What we have tried
- Setting flow: ‘unlockAccount’ in the widget config, the network tab shows a 200 response from the widget but no activation email is delivered. We also recognize this may be the wrong flow for PROVISIONED status (vs LOCKED_OUT).
- Setting the flow to login and also removed the flow key entirely, and we are just getting “Unable to sign in” with a PROVISIONED user.
- Confirmed the user is PROVISIONED by querying the Okta Users API directly (GET /api/v1/users/{email}), which returns the user with status: “PROVISIONED”.
Questions
- Is the Okta Sign-In Widget in OIE expected to automatically handle PROVISIONED users by triggering an activation flow, or does this require additional configuration (e.g., a specific Sign-On Policy rule)?
- If automatic handling is supported, what widget config or Okta policy settings are required to enable it?
- If it is not automatic, what is the recommended approach for prompting a PROVISIONED user to activate their account through the embedded widget?
