The okta sign in widget hungs up without a error and observed ubale to get tokens using showSignInToGetTokens

hello

I setup a SPA app on the okta admin. It is using PKCE (kinda important for later on)

On my app, I’m sending the conf to Okta:

  const oktaConf = {
            issuer: UISettings.settings.auth.okta.issuer,
            clientId: UISettings.settings.auth.okta.client_id,
            scopes: ['openid', 'profile', 'email', 'groups'],
            redirectUri: window.location.origin + '/signin/callback',
            useInteractionCodeFlow: false,
            useClassicEngine: true,
            authParams: {
                pkce: true,
                responseMode: 'fragment',
                issuer: UISettings.settings.auth.okta.issuer,
            },
        };
        if (!signinWidgetRef.current) {
            return false;
        }

        const widget = new OktaSignIn(oktaConf);

        const searchParams = new URL(window.location.href).searchParams;
        widget.otp = searchParams.get('otp');
        widget.state = searchParams.get('state');
        widget.showSignInToGetTokens({
            el: signinWidgetRef.current,
        }).then(onSuccess).catch(onError);

this suppose to get token that should actually redirect the page but the okta widget got stuck in loading state neither getting any error or logs in the console or the app logs

What is the last API request being made by the widget and what was its response? Do you happen to see any failures logged in the Okta System Log?

Your code shows you are using useClassicEngine set to true. Does your application require [additional] MFA beyond what is required at the global/org level?

The last API request made by the widget is a POST to /api/v1/authn. In our tests, this request returns a SUCCESS status along with a sessionToken.
We have checked the Okta System Log — the primary failure we see is OAuth2 authorization request → FAILURE: login_required, which occurs when the sessionToken is not passed correctly to the authorization endpoint.
Our application does not require additional MFA beyond the global/org-level policies.

and the widget in UI hungs on the circular loading state

FAILURE: login_required
and the widget in UI hungs on the circular loading state

Well, that at least is what I thought was happening here. If the OIDC call encounters an error, its not going to enter the success block as the user will not be granted tokens.

which occurs when the sessionToken is not passed correctly to the authorization endpoint.

That doesn’t sound right. The sessionToken should get passed to the /authorize call so that the user can get logged into the OIDC application and get an Okta session… Hmm

Also, I’m also not sure why you have this code in place

        const searchParams = new URL(window.location.href).searchParams;
        widget.otp = searchParams.get('otp');
        widget.state = searchParams.get('state');

The only time you would receive an otp and state value is when using Email Magic Links, but you must use interaction code flow/an Identity Engine org to use magic links.

If you are in an Identity Engine org instead of a Classic Engine org, can you try setting useClassicEngine: false and useInteractionCodeFlow: true (though, in theory, you should only need to use the former for widget version 7.x and the latter for widget versions 5.x and 6.x, they don’t exist within the same version)? Using Classic Engine is only recommended for customers whose orgs are still on Classic Engine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.