Sign in was not authorized (custom sign-in on iOS/Android)

[filiphosko]

I'm submitting a:

• [x] Bug report
• [ ] Feature request
• [ ] Other (Describe below)

Current behavior

When I try to use the custom sign-in (not browser sign-in) and call the signIn({username, password}) method I get the following error (screenshot attached). This happens in the app I'm developing but also in the preconfigured sample app that I downloaded from Okta's website.

Expected behavior

The sign-in should succeed (as does the browser sign-in that works). The preconfigured sample app should work.

Minimal reproduction of the problem with instructions

Create a native app in Okta backend, download the preconfigured sample app, install dependencies, run the custom sign-in app, enter username and password from your Okta application and press 'Login'. The attempt should fail with 'Error: Sign in was not authorized'.

Extra information about the use case/user story you are trying to implement

Environment

• Package Version: 2.1.1, 2.1.2
• React Native Version: 0.64.1, 0.65.1
• OS: iOS 14.5, Android 11
• Node version (node -v): 15.14.0
• Other:

[JayNewstrom]

Hi @filiphosko sorry to hear you're running into issues.

@oleggnidets-okta could you take a look at this?

[filiphosko]

I was able to move on by getting the client from getAuthClient and calling the signInWithCredentials({username, password}) method on it. But when I got redirected to the Profile page in the sample app, I got the following error:

Guess I have to exchange the session token for access token now? What is otherwise the proposed way how to do custom sign-in in React Native since singIn doesn't seem to work (at least not for me)? I looked here https://github.com/okta/okta-auth-js#signinoptions and it seems signIn is deprecated in favor of signInWithCredentials. But when I look here https://github.com/okta/okta-auth-js/blob/master/docs/authn.md#signinwithcredentials the authn API looks that it is also getting deprecated. I really don't know how to make this work...

EDIT: I tried to at least authenticate using signInWithCredentials and then use the session token with signInWithRedirect but I get the error null is not an object (evaluating 'r.webcrypto.subtle') which makes sense since the API is only available in the browser.

[filiphosko]

@JayNewstrom Any progress with this? We're working on an app for a client to whom we recommended to use Okta. The Figma designs require us to do a custom login page (not a browser sign-in) and right now we're stuck.

[oleggnidets-okta]

Hi @filiphosko You shouldn't authenticate via AuthClient. You can use the signIn method passing the parameters as described here. It exchanges session_token for access_token internally.

btw, I can log in a user successfully and our UI tests are passed with okta-react-native 2.1.1. You may research our samples from the source and this one.

[filiphosko]

@oleggnidets-okta Thanks for the reply. Yes, I was using signIn but since it was giving me the trouble specified above I wanted to try other ways to make it work (since I really need to make it work). I'm using the sample app from the Okta's admin, as I've mentioned.

I don't know why the error happens but it's still happening (also on Android). Maybe it's some miss-config but I did everything according to the docs (I think/hope). It's true that I only tested it locally in a dev environment (not a production build of the app) but I guess it should work either way.

[oleggnidets-okta]

Make sure you specify correct parameters, the user is assigned to the app and the org doesn't have enabled MFA.

[filiphosko]

@oleggnidets-okta I was able to get a log after I registered an error listener -

{ error_code: '-600', error_message: 'Authorization Error: Unexpected response format while retrieving authorization code.' }

I'm sure the parameters are correct and the user is assigned to the app but I'm not sure about the MFA. I will check it and I'll let you know if it helped.

EDIT: It seems like there is a MFA policy in place with "Okta verify".

The problem is that I can't disable the MFA since it tells me that I need to disable the factors in the policies that have it enabled but I can't do it - there are 2 policies with the name Default policy and it doesn't allow me to disable the MFA there (since probably it can't be saved with the same name). I'm quite sure I didn't create those policies.

[ericlifs]

Please also check that you don't have React Native's debugger opened because that opens a Browser console and therefore will throw CORS issues when trying to do requests to okta server.

[filiphosko]

@ericlifs Thanks for the info, I didn't have the debugger open (but good to know). I think it will be MFA related since the error message is the same as here https://github.com/okta/okta-oidc-ios/issues/194 and it would make sense. I just can't try it without the MFA since there is probably a bug where 2 policies with the same name were created and I can't update (disable Okta verify) any of them. But I guess this needs to be raised elsewhere.

[oleggnidets-okta]

@filiphosko The issue may be related to MFA. Our SDK supports only primary login flow, rel. issue. Please, let us know if disabling MFA fixes the problem. I'll record internal task to support MFA in the future. Thanks

[filiphosko]

@oleggnidets-okta Thanks, I can't disable MFA right now due to a possible bug I mentioned above (duplicate Default policy and not being able to disable Okta verify for it) but I'll have to contact support regarding that I guess. Maybe what could be improved regarding this issue here would be to send a better error message if possible in case MFA blocks the sign-in - and also set the onError listener in the preconfigured sample app (which is downloadable from Okta's admin interface) since without it the error message is even more abstract - if you rely only on the error message that is thrown in JS.

[filiphosko]

@oleggnidets-okta I created another Okta account without MFA and it works like that. Thanks a lot for the help.