Hi, I am using the Okta sign-in widget and I was able to get it working by enabling the setting “Embedded widget sign-in support” on a test application. However, our administrator mentioned that this is insecure and we should instead use PKCE and not enable that option.
I followed the steps here Implement authorization by grant type | Okta Developer to set up the Okta application. The documentation is not clear on how to enable for a basic JS example but I tried a few variations of this configuration:
oktaConfig = {
redirectUri: 'http://localhost:8098/login/callback',
clientId: "...",
baseUrl: "...",
authParams: {
issuer: '.../oauth2/default',
pkce: true,
},
useInteractionCodeFlow: false,
scopes: ['openid', 'profile', 'email'],
};
oktaSignIn = new OktaSignIn(oktaConfig);
function showOktaSignIn() {
oktaSignIn.showSignInToGetTokens()
...
I know it says it will have pkce enabled by default for instance but with or without it explicitly defined it fails.
We are using Okta Identitiy Engine and checked using the method in that answer I linked.
Error message:
Failed to load resource: the server responded with a status of 400 () …/oauth2/default/v1/interact:1
bundle.js:55 OAuthError: The client is not authorized to use the provided grant type. Configured grant types: [authorization_code, refresh_token].
at eval (default.js:2:79858)
We are using the latest version of the widget.