You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the IDX/OIDC module to authenticate a user with responseType: 'interaction_code', say in an SPA/PKCE setup, the IDXResponse after successfully answering all challenges will return an interactionCode and include the issue() action for the /token endpoint. Calling the actions.issue({codeVerifier}) method fails with a 400 Bad Request, because the /token endpoint expects Content-Type: 'x-www-form-urlencoded' but this sends JSON.
Instead, calling authClient.token.exchangeCodeForTokens({interactionCode, codeVerifier }) works as expected because it passes the right Content-Type.
I'm guessing that the IDX module does not use the headings described by the successWithInteractionCode response, which clearly indicates how to talk to /token:
In a sandbox/developer Okta tenant, setup an application that requires PKCE and is used in an SPA, then allow Interaction Code enabled for the Grant Type. It shouldn't matter what authentication policies are used.
In any of the SPA sample apps, configure the authClient as normal:
constauthClient=newOktaAuth({clientId: 'clientId',redirectUri: 'http://localhost:8080/callback',// or whateverissuer: 'yourtenantissuer'})
then authenticate using IDX. I don't use authClient.idx.authenticate since our app incorporates a number of flows, instead doing this:
and then chaining proceed depending on the next steps:
letresponse=awaitcurrentTransaction.proceed('identify',{identifier: '[email protected]'})// my app happens to use email verification/OTP, but a password should produce the same response after the next two stepsresponse=awaitresponse.proceed('authenticator-verification-data',{authenticator: {id: AuthenticatorKey.OKTA_EMAIL,methodType: 'email'}})// ...after prompting the user to input the passcode...response=awaitresponse.proceed('challenge-authenticator',{credentials: {passcode: '123456'}})const{meta: { codeVerifier }}=authClient.transactionManager.load()// The call below throws the 400 Bad Requestconst{ tokens }=awaitresponse.actions.issue({ codeVerifier })// This works insteadconst{ tokens }=awaitauthClient.token.exchangeCodeForTokens({
codeVerifier,interactionCode: response.interactionCode})
SDK Versions
@okta/okta-auth-js: 7.0.1
Execution Environment
Modern browsers, Chrome
Additional Information?
No response
The text was updated successfully, but these errors were encountered:
Thanks for submitting this issue with detailed information and steps to reproduce.
Internal ref: OKTA-602355
For now please use authClient.token.exchangeCodeForTokens as a workaround
Awesome! I will also add that I had to configure withCredentials: false as well for some reason, otherwise I ran into a CORS issue. Not sure if that's expected or not on the /token endpoint
Describe the bug?
When using the IDX/OIDC module to authenticate a user with
responseType: 'interaction_code'
, say in an SPA/PKCE setup, theIDXResponse
after successfully answering all challenges will return aninteractionCode
and include theissue()
action for the/token
endpoint. Calling theactions.issue({codeVerifier})
method fails with a 400 Bad Request, because the/token
endpoint expectsContent-Type: 'x-www-form-urlencoded'
but this sends JSON.Instead, calling
authClient.token.exchangeCodeForTokens({interactionCode, codeVerifier })
works as expected because it passes the right Content-Type.I'm guessing that the IDX module does not use the headings described by the
successWithInteractionCode
response, which clearly indicates how to talk to/token
:What is expected to happen?
What is the actual behavior?
Reproduction Steps?
In a sandbox/developer Okta tenant, setup an application that requires PKCE and is used in an SPA, then allow
Interaction Code
enabled for the Grant Type. It shouldn't matter what authentication policies are used.In any of the SPA sample apps, configure the
authClient
as normal:then authenticate using IDX. I don't use
authClient.idx.authenticate
since our app incorporates a number of flows, instead doing this:and then chaining proceed depending on the next steps:
SDK Versions
@okta/okta-auth-js: 7.0.1
Execution Environment
Modern browsers, Chrome
Additional Information?
No response
The text was updated successfully, but these errors were encountered: