Widget 401 token Error

New to the widget. We were using the API calls but now we are moving to authorization servers, and i am trying to implement the widget on the .net example but seem to not get it to successfully login. I can see my login and pass the password successfully but i continue to get a 401 when trying to pass MFA Question with token error “Client authentication failed. Either the client or the client credentials are invalid.” Not really sure where to go from here? if anyone can point me to some things to look into I would be most appreciated.



Hiii… Following are the steps to troubleshoot

Double check client credentials for accuracy
Make sure token generation includes the required permissions.
Review the authorization server configuration.
Check request headers for proper authentication.
Use debugging tools to trace requests.

By following these steps you can solve the problem

Double check client credentials for accuracy – credentials are correct
Make sure token generation includes the required permissions. - not sure what this means
Review the authorization server configuration. - from my pick is the config
Check request headers for proper authentication. - password works but MFA not so much
Check request headers for proper authentication. you can see from the pick

It looks like the application you created within Okta is of type Web and is configured for Client Secret client authentication, but you are trying to use the SPA method to log users in via the Widget (showSignInToGetTokens) which expects the PKCE client authentication method to be used (since the /token request will be completed within the browser).

Can you try making an OpenID Connect application of type “SPA” within Okta instead and update the ClientId in your config accordingly?

1 Like

That seemed to do the trick. Only thing is when i setup the same thing in my company environment the MFA is SSO and i keep getting a link but when i click on the link i get “Identity provider is not valid. 404 (Not Found)”
SSO

Is there a way to ignore the SSO and always prompt the user for username and password?

You could include the parameter prompt=login to the /authorize request, but that will only prompt the user for their password if they already have an Okta session. The only way to fully prompt them for re-auth would be to terminate their Okta session instead.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.