I’ll try just using one application. Worth a shot.
I’m using OKTA because I heard it was supposed to be easier than hand-rolling my own auth. Friends don’t let friends do auth stuff, but OKTA seems a bit painful, at least to begin with.
Trying to have one app for localhost and live, but there’s only one value you can put into “Initiate login URI” so presumably one has to have one application per environment?
You would be putting your SPA callback into redirect section, initiate is not a concern here. Also, can you please remove that URL in initiate section for the sake of experiment. It should not be the same as callback, actually.
when you say it’s duplicated, what exactly do you mean? Normally you’d need only one application in Okta for your SPA + backend pair
To be honest, your back end application may be not registered with Okta at all, if it only performs offline token validation.
What I meant specifically is that I’ve created a back-end application then duplicated it for the live environment. It’s a “Web” type application so I can validate tokens on the back-end and check that a user has certain authorities. I duplicated that for the live environment. So I have four applications in total at the moment.
Also, to be clear, by duplicate I mean I’ve made new ones and changed their settings appropriately.
- SPA live.
- Back-end live
- SPA localhost
- Back-end localhost
You would be putting your SPA callback into
redirectsection,initiateis not a concern here. Also, can you please remove that URL ininitiatesection for the sake of experiment. It should not be the same as callback, actually.
Tried this, and it’s still giving no value for accessToken 
So now my localhost and live apps are using this application in okta:
Well, we definitely need someone who knows, how to troubleshoot react app 
From my perspective it’s all quite clear, that there is no proper traffic to even get the access token. Assuming all the react configuration has been done properly for the live app, it’s something inside it.
Is your live app publicly visible?
oh… wait!
I think I might have an idea! I believe PKCE won’t work for non-https URLs, unless they are on localhost. Is there a chance to try to switch your app to https for live?
Ah ok. If that’s the case, it’s not very clear in what I’ve read. I did disable PKCE because this is just http for now. It’s on http://dev.caol.io lots of warnings if you enable PKCE and use http. Not sure I get the point of being able to disable it if you can’t do much without it. 
I was hoping to not have to deal with certs, but I’l give it a go. That’s probably the issue, right?
I’ll report back hopefully in 10 mins. haha
Well, if you are using just implicit that should be fine, I believe, too. I was not sure, which flow exactly is used.
I am not sure what you mean. I don’t really know what implicit is for, or what it does.
I’ve found that a lot of what I’ve been reading is just “put this thing in this field” and doesn’t give much easy to understand explanation of what’s going on or clarification on what these terms mean. For example, embarrassingly, I’ve no idea what implicit means in this context.
It’s implicit flow for SPAs vs PKCE flow, I was talking about.
I hit your app, at least it tries to authenticate me can’t do anything besides that, at least I got a response from Okta that I’m not authenticated, which is a good sign 
I wonder, if you can capture a HAR for some test user and share it to my email, if you want.
Hi @phi1ipp - thanks once again for all your help.
Enabling HTTPS on live environment worked
For anyone looking at this thread in the future: It seems you can authenticate on HTTP connections, but cannot get tokens to get a token you need HTTPS and of course need to enable PKCE, and disable HTTPS check.
The mistake I made was assuming that disabling http check and PKCE would still work for getting an auth token. It still baffles me a little because it is possible to disable PKCE and disable http check for localhost builds and still auth correctly and get a token
1 Like
Gratz @colinriddell
Okta’s implementation of PKCE allows you to use HTTP on localhost for PKCE flow, but not for the remote host. Had to fight this battle once
1 Like
You don’t know until you try thanks again.
2 Likes
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.