Okta Signin Widget calling /authn instead of /authorize

mathieuv · June 24, 2021, 10:12am

Hi,

I’ve searched for a while and haven’t found any information past this post: Okta-signin-widget POSTing to /authn when I want it to use /authorize for OIDC.

I’m using the authorization code flow with PKCE in a React SPA. I’ve noticed that the widget makes call to the ${baseUrl}/api/v1/authn endpoint. This did not appear as an issue since the login process worked properly and users could login.

However, client-based rate limit only work on /authorize endpoint, so I set out to make the requests to this endpoint instead of /authn. In retrospect, according to our current configuration, the calls should already be made to the /authorize endpoint. I tried forcing it by using the authParams.authorizeUrl parameter, however it looks like it is getting ignored.

Is there any option to set to make sure the calls are being made to the /authorize endpoint?

phi1ipp · June 27, 2021, 2:38pm

how does your config look like? does it have client_id and issuer?

mathieuv · June 28, 2021, 8:43am

Yes it does have a client_id and an issuer. My authParams looks like this:

clientId,
redirectUri: `https://my-website.com/login`,
pkce: true,
issuer: `https://my-okta-tenant/oauth2/default`,
responseType: ['code'],
responseMode: 'query',
scopes: ['openid', 'offline_access'],
display: 'page'

andrea · July 6, 2021, 8:45pm

The widget is designed to handle both primary authentication into the Okta org (/authn) and, if a client_id and issuer are passed, to request tokens for an OIDC app (/authorize). There is no way to prevent an /authn call from occurring unless the user session already exists in the browser and you can directly make an authorize call to request tokens, using the Auth JS token library’s getWithoutPrompt, getWithPopup, or getWithRedirect methods.