I have an Okta developer account set up with the ‘default’ authorization server that it came with, and configured for an SPA requiring PKCE and a grant type of Authorization Code.
I’ve manually worked through the authorize and token steps, with session cookies, code challenges and code verifiers, making requests using curl and I can issue an access token.
I’m now trying to use the okta-oauth-js library to implement a simple single page app that will ask the user to log in, and then acquire an access token.
I’m following the instructions at GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API, and I have some Javascript being served off my local web server (with SSL, test.localhost:8441, and a content-security policy that includes script-src 'self' 'unsafe-inline' https://global.oktacdn.com; ... connect-src 'self' https://*.okta.com).
(Developer URL and client ID values have been REDACTED, but they are the values that work when tested manually):
<script src="https://global.oktacdn.com/okta-auth-js/7.2.0/okta-auth-js.min.js" type="text/javascript"></script>
<script>
async function main() {
var config = {
// config
issuer: 'https://dev-[REDACTED].okta.com/oauth2/default',
clientId: '[REDACTED]',
redirectUri: 'https://test.localhost:8441/assets/okta.html',
responseType: 'code',
pkce: true
};
authClient = new OktaAuth(config);
authClient.authStateManager.subscribe(function(authState) {
if (!authState.isAuthenticated) {
// unauthenticated view
alert("unauthenticated. isPKCESupported()? " + OktaAuth.features.isPKCESupported());
authClient.signInWithRedirect({ scopes: ['openid'] });
return;
}
// authenticated view
alert("authenticated");
});
// callback
if (authClient.token.isLoginRedirect()) {
const { tokens } = await authClient.token.parseFromUrl();
authClient.tokenManager.setTokens(tokens);
}
authClient.start();
}
main();
</script>
After accessing the URL serving the above, with my browser (latest Chrome, 110.0.5481.177), and clicking my ‘unauthenticated’ alert dialog, the first thing the authClient.signInWithRedirect() does is attempt to request https://dev-[REDACTED].okta.com/oauth2/default/.well-known/openid-configuration.
My local server’s Content-Security-Policy permits its retrieval (this was the first point of failure), but the Okta server refuses to serve it (confirmed with curl):
{"errorCode":"E0000015","errorSummary":"You do not have permission to access the feature you are requesting","errorLink":"E0000015","errorId":"oaehWuOTknfQSK2c-sW3ewejQ","errorCauses":[]}
Searching this forum, there are old discussions referencing developer vs production configurations (this is a newly created developer account), and API Manager features - but I can’t find anything named like those in my developer dashboard settings, and the discussions said that they were enabled for developer accounts anyway.
Perhaps the documentation of the okta-oauth-js library is not in sync with the current developer dashboard configuration? Is there an option or configuration setting in script to disable the fetching of openid-configuration, or on the dashboard to allow it? What am I missing that will make this work?