#Login via OKTA does not persist

6 messages · Page 1 of 1 (latest)

spring helm
#

Having an issue where I can login fine using OKTA provider. However, as soon as a call to /api/auth/okta/refresh?optional&env=myenv happens I get the error message of "name":"AuthenticationError","message":"Invalid X-Requested-With header" with a status code of 401.

If I hit /api/auth/okta/handler/frame?env=myenv I can see the okta-nonce cookie. But the session persistence is not there. If I inspect /api/auth/okta/refresh?optional&env=myenv the okta-refresh-token cookie is not there. I have offline_access scope setup but I'm a bit stuck in terms of what to try next. If someone has any other ideas that would be a huge help.

spring helm
#

I figured out the issue. offline_access scope is probably the answer if you're having issues with session duration. The OKTA provider out of the box has offline_access as a default scope so that's probably not the issue if you're using OKTA. However, if you're using OKTA you have to make sure it is setup at the auth server and app server level. That was my issue. I had it setup at the app server level, but didn't at the auth server and never really saw any error or warning so the app server wasn't really doing anything as that is supposed to be a subset(or all) of the scopes the auth server has. Hope this helps someone.

short venture
#

What was the actual change? I'm just trying to set up Okta auth and having the same symptoms as you are

short venture
#

@spring helm any more specific info to share here? I'm not sure what you mean when differentiating "auth server" and "app server" for the configuration/setup

short venture
#

ok, I figured out the issue. Specifically, Okta was not returning a refresh token during the OAuth flow because the Okta app wasn't created with offline_access as an allowed scope

spring helm
#

Sorry for the late reply.. glad you figured it out. To provide additional clarity for others in the future.. I had an auth and app server in OKTA.. both of them need to allow for offline_access. I had it setup at the app server but not the auth server.. sound like Brian was the other way around.. In any case if you have auth and app server make sure it is in both.