Okta Signin Widget with PKCE on Okta Identity Engine fails with: The client is not authorized to use the provided grant type

Hi, I am using the Okta sign-in widget and I was able to get it working by enabling the setting “Embedded widget sign-in support” on a test application. However, our administrator mentioned that this is insecure and we should instead use PKCE and not enable that option.

I followed the steps here Implement authorization by grant type | Okta Developer to set up the Okta application. The documentation is not clear on how to enable for a basic JS example but I tried a few variations of this configuration:

oktaConfig = {
  redirectUri: 'http://localhost:8098/login/callback',
  clientId: "...",
  baseUrl: "...",
  authParams: {
    issuer: '.../oauth2/default',
    pkce: true,
  },
  useInteractionCodeFlow: false,
  scopes: ['openid', 'profile', 'email'],
};
oktaSignIn = new OktaSignIn(oktaConfig);

function showOktaSignIn() {
  oktaSignIn.showSignInToGetTokens()
...

I know it says it will have pkce enabled by default for instance but with or without it explicitly defined it fails.

We are using Okta Identitiy Engine and checked using the method in that answer I linked.

Error message:

Failed to load resource: the server responded with a status of 400 () …/oauth2/default/v1/interact:1
bundle.js:55 OAuthError: The client is not authorized to use the provided grant type. Configured grant types: [authorization_code, refresh_token].
at eval (default.js:2:79858)

We are using the latest version of the widget.

Can you confirm that you followed the steps here that walk through enabling the Interaction Grant type (which is used in Okta Identity Engine orgs or primary authentication)?

Thanks for the response! I’m slightly confused because it almost seems like it’s warning you if you enable that setting and suggests using PKCE instead. If we enable it then it works fine. Unless we’re misunderstanding?

This is what our admin linked:
https://help.okta.com/oie/en-us/content/topics/settings/embedded-sign-in-support.htm?cshid=csh-embedded-sign-in

Hi!

I’m going to jump in along side of Andrea (who is awesome!) because I want to know if you are actually trying to use the embedded sign-in widget, or the Okta-hosted sign-in widget. The embedded one is where you host it on your own page. Two totally different scenarios.

Joel

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.