Okta Signin Widget calling /authn instead of /authorize

Hi,

I’ve searched for a while and haven’t found any information past this post: Okta-signin-widget POSTing to /authn when I want it to use /authorize for OIDC.

I’m using the authorization code flow with PKCE in a React SPA. I’ve noticed that the widget makes call to the ${baseUrl}/api/v1/authn endpoint. This did not appear as an issue since the login process worked properly and users could login.

However, client-based rate limit only work on /authorize endpoint, so I set out to make the requests to this endpoint instead of /authn. In retrospect, according to our current configuration, the calls should already be made to the /authorize endpoint. I tried forcing it by using the authParams.authorizeUrl parameter, however it looks like it is getting ignored.

Is there any option to set to make sure the calls are being made to the /authorize endpoint?

how does your config look like? does it have client_id and issuer?

Yes it does have a client_id and an issuer. My authParams looks like this:

clientId,
redirectUri: `https://my-website.com/login`,
pkce: true,
issuer: `https://my-okta-tenant/oauth2/default`,
responseType: ['code'],
responseMode: 'query',
scopes: ['openid', 'offline_access'],
display: 'page'

The widget is designed to handle both primary authentication into the Okta org (/authn) and, if a client_id and issuer are passed, to request tokens for an OIDC app (/authorize). There is no way to prevent an /authn call from occurring unless the user session already exists in the browser and you can directly make an authorize call to request tokens, using the Auth JS token library’s getWithoutPrompt, getWithPopup, or getWithRedirect methods.