SPA App - Login Initiated by Okta and PKCE

Hello, I am in process of switching our App from Implicit to PKCE flow. However, I noticed that the option to login via Okta is home page is only supported for Implicit workflow. Is there any workaround? Or the only way around this is to enable Implicit flow?

The error message is wrong. If you configure the integration like you have showing in that screenshot, as well as the “Redirect to app to initiate login (OIDC Compliant)” option, all Okta does is send the user to your application, and your application is expected to start the OAuth flow itself. That means your app is free to use PKCE for that and everything works fine. I tested it out yesterday!

Okta doesn’t let me save the form with this configuration.

I’ve filed a bug internally. In the mean time you can enable the Implicit checkbox to save the form. As long as your app doesn’t actually do the implicit flow it’s fine to have the checkbox enabled.

Can I please confirm if this is what you expect to see for network traffic when the app button is clicked from Okta dashboard?


I don’t get any PKCE code in the URLs, is that expected? I am not sure based the information that gets passed on how is my app supposed to go ahead with the PKCE flow.

Yes that’s correct, it would be impossible for Okta to send anything relating to PKCE unless your app initiates that first, which is the point of PKCE.

All that Okta does when you click the button in the dashboard is send a request to your initiate login URL with ?iss= in the URL. Your app is supposed to recognize that is a request asking to start the login flow, then you can start the authorization code flow with PKCE as you normally would.

I’d recommend making a specific URL for the initiate login URL that way your app can recognize that is different from other requests that might be made to your app.

Thanks, that helps. I was able to get it implemented.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.