PKCE Verification Failed while requesting token

[nuusk]

Issue Subject

I'm having issue with generating access tokens for users during the login process. While trying to login, request to https://<my-domain>/oauth2/<okta-auth-server>/token is sent. Sometimes it results in 400 Bad Request.

Packages versions

"@okta/okta-auth-js": "^4.7.1",
"@okta/okta-vue": "^3.1.0",

Expected Result

Status 200 OK with actual access token in response body.

Actual Result

Status 400 Bad Request with body:

{
    "error": "invalid_grant",
    "error_description": "PKCE verification failed."
}

Login process description

I'm using okta-hosted, Custom Sign In page, configured in okta panel, under Settings/Customization/Cusom Sign In

This is how core of this page looks like:

<body>
    <div id="okta-login-container"></div>

    <!--
        "OktaUtil" defines a global OktaUtil object
        that contains methods used to complete the Okta login flow.
     -->
    {{{OktaUtil}}}

    <script type="text/javascript">
      var config = OktaUtil.getSignInWidgetConfig();
      config.idps = [{ type: "Google", id: "0oae161wvufbNAkQW4x6" }];
      config.idpDisplay = "SECONDARY";
      var oktaSignIn = new OktaSignIn(config);
      oktaSignIn.renderEl(
        { el: "#okta-login-container" },
        OktaUtil.completeLogin,
        function (error) {
          console.log(error.message, error);
        }
      );
    </script>
  </body>

How to reproduce

Try to login several times with valid credentials on any of the affected browsers (Safari, Firefox).

Valuable notes

• Both requests look the same. The only values that differ are code and code_verifier.
• The actual response status is nondeterministic. Sometimes it works (access token is generated and Status is OK), sometimes it doesn't (PKCE error is thrown and status is Bad Request).
• Of three browsers that I tested (Chrome, Safari and Firefox), this problem affects only Safari and Firefox. I have never come across this error in Chrome.
• The chance of receiving an error increases when using an incognito mode.
• According to this PR (https://github.com/okta/okta-oidc-js/issues/804) I though this issue was well known and fixed in an update to okta-auth-js

[oleksandrpravosudko-okta]

Thanks for the detailed report @nuus7.

This issue seems to differ from #804 as it involves okta-hosted SIW.

A few questions to help reproducing the issue:

• can you please point out which version of SIW is used on your orgs sign-in page?
• are you using custom component for handling /callback route?
• does non-customized widget still trigger the error?

Having Chrome 'free' of this issue is likely caused by different 3p cookie blocking policy, but this does not really explain why it happens intermittently.

Are you able to check if this issue can be reproduced using our sample app w/ specified package versions?

[nuusk]

Thanks @oleksandrpravosudko-okta for your quick reply.

can you please point out which version of SIW is used on your orgs sign-in page?

• When I first encountered the error, I've noticed I've been using outdated version of the widget: 2.21. I just recently updated it to the newest version: 5.4. Unfortunately it didn't help.

are you using custom component for handling /callback route?

• currently using LoginCallback provided by okta-vue package. But I also tested doing this on my custom component and that didn't help.

does non-customized widget still trigger the error?

• Yes

Having Chrome 'free' of this issue is likely caused by different 3p cookie blocking policy, but this does not really explain why it happens intermittently.

• We have an Okta configured under our domain (same as the web app) - I wonder if that changes anything.

I will try to reproduce this error using the sample app you linked and will update you with my results!

[jakedurell]

@nuusk - did you ever find a resolution to this? I think I am seeing something similar. Also intermittently.

[jaredperreault-okta]

@jakedurell Please open you're own issue. This is an old thread which references out-of-date versions of this SDK