Hello.
When users enroll their security keys thru going to [org].okta.com and their settings they are unable to use this MFA factor signing in to SPA apps that leverage embedded sign-in widget by Okta. The widget does not offer to set it up for the domain in the address bar of the current app. It feels as though it sees the user has it set up already and tries to use it, but of course the URLs don’t match and it cannot be used. The browser says the key is not registered for this site, try another. Is it some kind of okta’s sign-in widget limitation or a bug or it’s just me missing something?
The only way I managed to make it work is removing security key enrollment, then requiring it for the app, in that case the widget offers to set it up, it registers for the domain name of the app, and then if I go to my org’s okta portal, I can set it up there too, where it registers the key for the org’s okta URL too. Then the key is useable in both apps: Okta and the SPA sitting on a separate domain name.
Thank you.