I’m trying to add the Okta sign-in widget to my mobile app’s backend web API, which currently uses the OAuth 2.0 Authorization Code with PKCE grant flow.
The mobile app is already performing a call to my backend’s /authorize
endpoint with all of the necessary parameters - codeChallenge
, scope
, state
, et cetera. However, when I use the sign-in widget, it generates a new PKCE when performing .showSignInAndRedirect()
, and sends the widget-generated codeChallenge
to the authorization server instead of the codeChallenge
I started the overall authorization flow with.
Is there a way I can override the widget’s PKCE with the /authorize
data I’ve already got? Particularly, I’m interested in overriding the PKCE, but I will also need to override the state as well.
I can’t use .showSignInToGetTokens()
, as the app will still post to my /token endpoint.
Here’s my current configuration - I’m using 5.7.3 of the sign-in widget from the CDN. I’m trying to use .showSignInAndRedirect()
because it seems to be the best option to use when augmenting an /authorize
endpoint.
const signIn = new OktaSignIn({
baseUrl: {{oktaDomain}},
el: '#widget-container',
clientId: {{clientId}},
redirectUri: {{redirectUri}}, // registered in my Okta SPA app
scope: ['openid', 'profile'],
authParams: {
issuer: authIssuer
}
});
signIn.showSignInAndRedirect()
.catch(function (error) {
// Handle error
console.log(error);
});