Trying to implement okta-oauth-js examples, no permission to fetch openid-configuration

I have an Okta developer account set up with the ‘default’ authorization server that it came with, and configured for an SPA requiring PKCE and a grant type of Authorization Code.

I’ve manually worked through the authorize and token steps, with session cookies, code challenges and code verifiers, making requests using curl and I can issue an access token.

I’m now trying to use the okta-oauth-js library to implement a simple single page app that will ask the user to log in, and then acquire an access token.

I’m following the instructions at GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API, and I have some Javascript being served off my local web server (with SSL, test.localhost:8441, and a content-security policy that includes script-src 'self' 'unsafe-inline' https://global.oktacdn.com; ... connect-src 'self' https://*.okta.com).

(Developer URL and client ID values have been REDACTED, but they are the values that work when tested manually):

<script src="https://global.oktacdn.com/okta-auth-js/7.2.0/okta-auth-js.min.js" type="text/javascript"></script>

<script>
  async function main() {
    var config = {
      // config
      issuer: 'https://dev-[REDACTED].okta.com/oauth2/default',
      clientId: '[REDACTED]',
      redirectUri: 'https://test.localhost:8441/assets/okta.html',

      responseType: 'code',
      pkce: true
    };
    authClient = new OktaAuth(config);
    authClient.authStateManager.subscribe(function(authState) {
      if (!authState.isAuthenticated) {
        // unauthenticated view
        alert("unauthenticated. isPKCESupported()? " + OktaAuth.features.isPKCESupported());
        authClient.signInWithRedirect({ scopes: ['openid'] });
        return;
      }
      // authenticated view
      alert("authenticated");
    });

    // callback
    if (authClient.token.isLoginRedirect()) {
      const { tokens } = await authClient.token.parseFromUrl();
      authClient.tokenManager.setTokens(tokens);
    }

    authClient.start();
  }

  main();
</script>  

After accessing the URL serving the above, with my browser (latest Chrome, 110.0.5481.177), and clicking my ‘unauthenticated’ alert dialog, the first thing the authClient.signInWithRedirect() does is attempt to request https://dev-[REDACTED].okta.com/oauth2/default/.well-known/openid-configuration.

My local server’s Content-Security-Policy permits its retrieval (this was the first point of failure), but the Okta server refuses to serve it (confirmed with curl):

{"errorCode":"E0000015","errorSummary":"You do not have permission to access the feature you are requesting","errorLink":"E0000015","errorId":"oaehWuOTknfQSK2c-sW3ewejQ","errorCauses":[]}

Searching this forum, there are old discussions referencing developer vs production configurations (this is a newly created developer account), and API Manager features - but I can’t find anything named like those in my developer dashboard settings, and the discussions said that they were enabled for developer accounts anyway.

Perhaps the documentation of the okta-oauth-js library is not in sync with the current developer dashboard configuration? Is there an option or configuration setting in script to disable the fetching of openid-configuration, or on the dashboard to allow it? What am I missing that will make this work?

So if you access https://dev-[REDACTED].okta.com/oauth2/default/.well-known/openid-configuration in your browser, do you also see that “You do not have permission to access the feature you are requesting” error message?

Yes, same response - whether the browser is “logged in” or not logged as my test Okta ‘user’ account.

Update: but, it looks like it isn’t sending the session cookies when making that request.

Though I was supremely confident in my original post that I had the Developer URL and client ID values correct, I had actually transposed two digits in the middle of the Developer URL.

Now that I’ve swapped them to the correct values, I have it working!

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.