Hello, I am in process of switching our App from Implicit to PKCE flow. However, I noticed that the option to login via Okta is home page is only supported for Implicit workflow. Is there any workaround? Or the only way around this is to enable Implicit flow?
The error message is wrong. If you configure the integration like you have showing in that screenshot, as well as the “Redirect to app to initiate login (OIDC Compliant)” option, all Okta does is send the user to your application, and your application is expected to start the OAuth flow itself. That means your app is free to use PKCE for that and everything works fine. I tested it out yesterday!
I’ve filed a bug internally. In the mean time you can enable the Implicit checkbox to save the form. As long as your app doesn’t actually do the implicit flow it’s fine to have the checkbox enabled.
Yes that’s correct, it would be impossible for Okta to send anything relating to PKCE unless your app initiates that first, which is the point of PKCE.
All that Okta does when you click the button in the dashboard is send a request to your initiate login URL with ?iss= in the URL. Your app is supposed to recognize that is a request asking to start the login flow, then you can start the authorization code flow with PKCE as you normally would.
I’d recommend making a specific URL for the initiate login URL that way your app can recognize that is different from other requests that might be made to your app.
Thanks, that helps. I was able to get it implemented.