Okta Signin Widget with PKCE on Okta Identity Engine fails with: The client is not authorized to use the provided grant type

psilospore · January 9, 2024, 11:14pm

Hi, I am using the Okta sign-in widget and I was able to get it working by enabling the setting “Embedded widget sign-in support” on a test application. However, our administrator mentioned that this is insecure and we should instead use PKCE and not enable that option.

I followed the steps here Implement authorization by grant type | Okta Developer to set up the Okta application. The documentation is not clear on how to enable for a basic JS example but I tried a few variations of this configuration:

oktaConfig = {
  redirectUri: 'http://localhost:8098/login/callback',
  clientId: "...",
  baseUrl: "...",
  authParams: {
    issuer: '.../oauth2/default',
    pkce: true,
  },
  useInteractionCodeFlow: false,
  scopes: ['openid', 'profile', 'email'],
};
oktaSignIn = new OktaSignIn(oktaConfig);

function showOktaSignIn() {
  oktaSignIn.showSignInToGetTokens()
...

I know it says it will have pkce enabled by default for instance but with or without it explicitly defined it fails.

We are using Okta Identitiy Engine and checked using the method in that answer I linked.

Error message:

Failed to load resource: the server responded with a status of 400 () …/oauth2/default/v1/interact:1
bundle.js:55 OAuthError: The client is not authorized to use the provided grant type. Configured grant types: [authorization_code, refresh_token].
at eval (default.js:2:79858)

We are using the latest version of the widget.

andrea · January 9, 2024, 11:22pm

Can you confirm that you followed the steps here that walk through enabling the Interaction Grant type (which is used in Okta Identity Engine orgs or primary authentication)?

“Embedded widget sign-in support” is turned on under Settings → Account

Screenshot 2024-01-09 at 3.21.07 PM1074×546 29.8 KB
“Interaction Code” is enabled under the Application → General → General Settings

Screenshot 2024-01-09 at 3.22.39 PM1316×1594 184 KB

psilospore · January 11, 2024, 7:04pm

Thanks for the response! I’m slightly confused because it almost seems like it’s warning you if you enable that setting and suggests using PKCE instead. If we enable it then it works fine. Unless we’re misunderstanding?

This is what our admin linked:
https://help.okta.com/oie/en-us/content/topics/settings/embedded-sign-in-support.htm?cshid=csh-embedded-sign-in

jmussman · January 11, 2024, 8:49pm

Hi!

I’m going to jump in along side of Andrea (who is awesome!) because I want to know if you are actually trying to use the embedded sign-in widget, or the Okta-hosted sign-in widget. The embedded one is where you host it on your own page. Two totally different scenarios.

Joel

system · February 10, 2024, 8:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
The client is not authorized to use the provided grant type Questions	3	3021	August 24, 2023
Okta sign-in widget without PKCE Questions	7	4681	January 23, 2024
Supplying original /authorize PKCE code_challenge and state to Okta Signin Widget Questions	2	3323	February 8, 2024
Using Okta signin widget with pkce and plain javascript Questions	1	2646	February 8, 2024
Okta Sign-in Widget Using PKCE Flow Questions	3	6214	April 1, 2021

Okta Signin Widget with PKCE on Okta Identity Engine fails with: The client is not authorized to use the provided grant type

Related topics