Configuring Okta base url

[brandonchinn178]

Describe the bug
Following the normal instructions, I get redirected to https://dev-${my_app_id}.okta.com/v1/authorize, which shows a 404 error. Changing OKTA_DOMAIN to dev-${my_app_id}.okta.com/oauth2 fixes it. Should the Okta provider add the /oauth2 path?

Steps to reproduce
Follow instructions for Okta provider

Expected behavior
Login should work

Screenshots or error logs
If applicable add screenshots or error logs to help explain the problem.

Additional context
Add any other context about the problem here.

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[balazsorban44]

Thanks for this. So there was a change in #763. Are you suggesting it was wrong?

@ohheyalanray as the PR author, do you have any comments on this?

The changes were accepted after I reviewed this section https://github.com/okta/okta-auth-js#required-options

[vmptk]

I can also confirm that by adding the oauth2 to the domain is working as well.

[balazsorban44]

huh. should we revert #763 then?

[brandonchinn178]

Maybe instead of domain, just ask for baseUrl? That would make it more consistent with the docs

https://developer.okta.com/docs/reference/api/oidc/#composing-your-base-url

This would also make it consistent with @okta/jwt-verifier, where I explicitly specify issuer as https://$DOMAIN/oauth2/default

[brandonchinn178]

ref. #1287

[htunnicliff]

Just wanted to chime in that this also broke our Okta sign in. Okta expects the authorize URL to be /oauth2/v1/authorize. This should definitely remain the default, since next-auth lets users completely override those urls in individual configurations.

[miguelguadarrama]

Just wanted to give my two cents here... also affected. The current version is not working by default. As other suggested you could make OKTA_DOMAIN something like okta.com/oauth2 but it's feels definitely hackish...

[piotrzaborow]

I did change the domain url, but still has problem to get it working.

New Okta tenant with newly created application gives me error:

https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: '{"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}'
}

[temaput]

I did change the domain url, but still has problem to get it working.

New Okta tenant with newly created application gives me error:

https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: '{"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}'
}

I had a similar issue with Okta. Turns out it was due to improperly assigned user: Okta was returning user back with an error code instead of authCode, but next-auth still tried to get the token (with authorization code equal to null), which in turn caused the Okta's complain.

[github-actions]

We cannot recreate the issue with the provided information. Please add a reproduction in order for us to be able to investigate.

Why was this issue marked with the incomplete label?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We prefer a link to a public GitHub repository (template), but you can also use a tool like CodeSandbox or StackBlitz.

To make sure the issue is resolved as quickly as possible, please make sure that the reproduction is as minimal as possible. This means that you should remove unnecessary code, files, and dependencies that do not contribute to the issue.

Please test your reproduction against the latest version of NextAuth.js (next-auth@latest) to make sure your issue has not already been fixed.

I added a link, why was it still marked?

Ensure the link is pointing to a codebase that is accessible (e.g. not a private repository). "example.com", "n/a", "will add later", etc. are not acceptable links -- we need to see a public codebase. See the above section for accepted links.

What happens if I don't provide a sufficient minimal reproduction?

Issues with the incomplete label that receives no meaningful activity (e.g. new comments with a reproduction link) are closed after 7 days.

If your issue has not been resolved in that time and it has been closed/locked, please open a new issue with the required reproduction. (It's less likely that we check back on already closed issues.)

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps. Furthermore, you can upvote the issue using the 👍 reaction on the topmost comment (please do not comment "I have the same issue" without repro steps). Then, we can sort issues by votes to prioritize.

I think my reproduction is good enough, why aren't you looking into it quicker?

We look into every NextAuth.js issue and constantly monitor open issues for new comments.

However, sometimes we might miss one or two. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

• How to create a Minimal, Complete, and Verifiable example
• Reporting a NextAuth.js bug
• How to Contribute to Open Source (Next.js)

[balazsorban44]

Closing as this issue is kinda old. Let's open a new one with a fresh, minimal reproduction, if it still exists.