The authorization code is invalid or has expired

[stephen-roadster]

Seems that when using the embed url for an app in Okta this is not working correctly. I end up getting an invalid credentials error omniauth: (okta_oauth) Authentication failure! invalid_credentials: OAuth2::Error, invalid_grant: The authorization code is invalid or has expired.

Here are the logs returned in Okta when trying to sign in. Seems like it works until the last step it makes another call and the authorization code is somehow invalid (maybe this is a double use kind of situation?)

Here is the setup in initializers:

require 'omniauth-okta'
  config.omniauth :okta, ENV['OKTA_CLIENT_ID'], ENV['OKTA_CLIENT_SECRET'], {
    name: :okta_oauth,
    scope: 'openid profile email phone mobilePhone',
    provider_ignores_state: true, # TODO: seems we need this for the Okta sign in link to work
    client_options: {
      site:          "https://#{ENV['OKTA_APP_URL']}",
      authorize_url: "https://#{ENV['OKTA_APP_URL']}/oauth2/default/v1/authorize",
      token_url:     "https://#{ENV['OKTA_APP_URL']}/oauth2/default/v1/token",
      user_info_url: "https://#{ENV['OKTA_APP_URL']}/oauth2/default/v1/userinfo",
    },
    strategy_class: OmniAuth::Strategies::Okta
  }

I noticed that I needed to set the :provider_ignores_state flag to true, otherwise I get a CSRF error which I also couldn't seem to resolve otherwise. For reference I'm on omniauth-okta version 0.1.3

[ih-andrey-andreev]

I have the same problem. Are there any updates?

[gleb-klimovich]

@stephen-roadster I've faced the same issue too, but then I found the way how to fix it.

I'm assuming that you're setting up the gem based on README file. But the thing is that if you want to set up through Devise, you just need to skip OmniAuth paragraph. So If you use Devise, you don't need to create config/initializers/omniauth.rb with config for Okta provider

It should completely solve your problem, including provider_ignores_state: true