Okta sign in widget with IDP discovery doesn't work

I have an application in Okta setup as web app with autorization code flow. Our stack is python backend and frontend react. I’m using sign in widget on the frontend.

If I’m disabling the idp discovery, frontend is getting the code as it should. When idp is enabled, all I get is either ?fromLogin=true or ?iss=<issuer>.

I have followed a number of related articles and answers here on this forum, but none work. Tried using target embed url (/home/oidc_client/...), tried using frontend url and backend url. Tried configuring backend as redirect url, but none are getting the code as they should.

I followed this example on how to setup the frontend: Okta Sign-In Widget and React | Okta Developer

And this example on how to setup the backend: samples-python-flask/custom-login at master · okta/samples-python-flask · GitHub

Is there a working example of authentication code flow with backend in python + frontend in react?

Okta sign in widget configs:

{
    baseUrl: `https://${process.env.REACT_APP_OKTA_DOMAIN}`,
    clientId: process.env.REACT_APP_OKTA_CLIENT_ID,
    display: "page",
    redirectUri: "http://localhost:6060",
    authParams: {
        issuer: `https://${process.env.REACT_APP_OKTA_DOMAIN}/oauth2/default`,
        responseType: "code",
        scopes: ["openid", "email", "offline_access"],
    },
    features: {
        idpDiscovery: true,
        autoPush: true,
    },
    idpDiscovery: {
        requestContext: `/home/oidc_client/...`,
    },

    // Additional documentation on config options can be found at https://github.com/okta/okta-signin-widget#basic-config-options
};

I think my basic issue here is the sign in widget. If I don’t use it and instead call directly to okta-auth-jstoken.getWithRedirect(...), I get the code on the frontend as expected.

A self hosted widget, IDP Discovery is not officially supported and is only designed to redirect the user to Okta (end-user dashboard) after authentication, but not back to an OIDC app, see README for widget here.

However, it does look like your requestContext is correctly configured to point back to the right application (via its app embed link). However, when the user is sent back to the application via this URL, they OAuth flow is NOT initiated (unless you use Okta Simplified in the application settings) and your application will need to make its own request to Okta to get tokens for the user when they land back on the application page/login page. I recommend using getWithRedirect (which will be an automatic redirect via the /authorize URL) or getWithoutPrompt (a silent call will be issued, but it will fail if the browser blocks third party cookies as it is reliant on the Okta session cookie set on the Okta domain)