Okta with Duo MFA PKCE flow on mobile - issues with Duo enrollment process


I have a React Native (0.66.4) mobile application for iOS.

I am implementing a PKCE authentication flow using Okta, with Duo MFA enabled.
(not using Okta SDK, since we have a custom login widget provided through our own service, but calling Okta APIs directly).

The flow is web based and implemented inside a WebView in the application.

I am having an issue with the Duo MFA enrolment process for a brand new user. Here is the sequence:

  1. Load login screen with credentials
  2. Enter credentials and send request to Okta for authorization code
  3. Okta detects the MFA configuration
  4. Duo Widget gets rendered on screen to start set up
  5. Set up is requested and the widget gets to the point of “Take me to Duo Mobile” - see screenshot
    (Example link looks like: Two-Factor Authentication)
  6. Tapping on the button opens the Duo Mobile App through a deep link - set up there is completed correctly
    (Redirect link looks like: duo://HpfXiHSMNoc4KxMYKvCm-YXBpLTk2ZTBiOWE2LmR1b3NlY3VyaXR5LmNvbQ)
  7. Issue occurs here → in the meantime, the Webview generates this iOS error (please note I have added the curly brackets placeholders to remove references to the domain, that’s not how the actual url looks like) and no further Duo widgets render
 'Encountered an error loading page', { target: 219,
  description: 'unsupported URL',
  url: 'https:/{issuer domain}/signin/enroll/duo/web',
  canGoBack: true,
  title: '{domain name here} - Extra Verification',
  domain: 'NSURLErrorDomain',
  code: -1002,
  didFailProvisionalNavigation: true,
  loading: false,
  canGoForward: false }

Next time I try to login with this user, Duo MFA works well, I can generate a push notification or request a call etc.

  • Do you have any suggestions on what may be causing the issue?
  • What is the purpose of the API endpoint /signin/enroll/duo/web- is this the final step in the enrolment process?
  • Should this url have some kind of parameters

I have configured the app to be able to accept https schemas already (this works for other https urls) and I think I have configured the WebView correctly - all other Okta and Duo urls work correctly.
The error occurs for both Tablet and Mobile phone flow.

Let me know if more information is needed

Added some screenshots for what the Duo process looks like before the error occurs (the error is an iOS one and not a Duo one)