widget mfa Skip to main content
https://support.okta.com/help/answers?id=9062a000000xa0sqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Admin AdminAdmin Admin 

widget mfa

I've enabled MFA on one application in my developer preview.  When using the Okta Widget for authentication, I'm getting the error: OAUTH_ERROR","message":"The client specified not to prompt, but the client app requires re-authentication or MFA."  I know the widget can handle MFA, what do I need to do to enable the widget to handle MFA? 
Adrian HaisanAdrian Haisan (Okta, Inc.)
Hello Thomas,
After following the documentation provided here:
http://developer.okta.com/docs/guides/okta_sign-in_widget.html
I understand that's where the error came up.


I was wondering whether you have seen the following sections-

Customizing style with CSS--

http://developer.okta.com/docs/guides/okta_sign-in_widget.html#customizing-style-with-css (http://developer.okta.com/docs/guides/okta_sign-in_widget.html#customizing-style-with-css" shape="rect" style="color:rgb(0, 108, 181);text-decoration:none;font-weight:normal;" target="_blank)

Advice for hosting your own CSS--

http://developer.okta.com/docs/guides/okta_sign-in_widget.html#advice-for-hosting-your-own-css (http://developer.okta.com/docs/guides/okta_sign-in_widget.html#advice-for-hosting-your-own-css" shape="rect" style="color:rgb(0, 108, 181);text-decoration:none;font-weight:normal;" target="_blank)

Testing the Okta Sign-In Widget--

http://developer.okta.com/docs/guides/okta_sign-in_widget.html#testing-the-okta-sign-in-widget (http://developer.okta.com/docs/guides/okta_sign-in_widget.html#testing-the-okta-sign-in-widget" shape="rect" style="color:rgb(0, 108, 181);text-decoration:none;font-weight:normal;" target="_blank)


Customizing widget features and text labels with JavaScript
The configuration options that are passed to the OktaSignIn() constructor are used to configure the functionality and text labels of the Okta Sign-In Widget. An example of how to configure OktaSignIn() is below, followed by a full list of all of the features and text labels that you can use to configure the Okta Sign-In Widget.

Example

Below is a working example of a customized version of the Okta Sign-In Widget. You can see what these customizations do by copying this code into your login-to-okta.html example file and reloading the page in your web browser. A full list of the supported customization options are below.

 
var oktaSignIn = new OktaSignIn({
  baseUrl: baseUrl,
  logo: 'https://upload.wikimedia.org/wikipedia/en/thumb/7/7e/Oldacmelogo.png/200px-Oldacmelogo.png',
  features: {
    rememberMe: true,
    smsRecovery: true,
    selfServiceUnlock: true
  },
  helpLinks: {
    help: 'http://acme.example.com/custom/help/page',
    forgotPassword: 'http://acme.example.com/custom/forgot/pass/page',
    unlock: 'http://acme.example.com/custom/unlock/page',
    custom: [
      { text: 'Dehydrated Boulders Support', href: 'http://acme.example.com/support/dehydrated-boulders' },
      { text: 'Rocket Sled Questions', href: 'http://acme.example.com/questions/rocket-sled' }
    ]
  },
  // See the contents of the 'okta-theme-1.2.0.css' file for a full list of labels.
  labels: {
    'primaryauth.title': 'Acme Partner Login',
    'primaryauth.username': 'Partner ID',
    'primaryauth.username.tooltip': 'Enter your @ partner.com ID',
    'primaryauth.password': 'Password',
    'primaryauth.password.tooltip': 'Super secret password'
  }
});

Adrian HaisanAdrian Haisan (Okta, Inc.)
Following are all the label values supported. 

signout: "Sign Out",
                remember: "Remember me",
                rememberDevice: "Trust this device",
                unlockaccount: "Unlock account?",
                needhelp: "Need help signing in?",
                goback: "Back to Sign In",
                forgotpassword: "Forgot password?",
                help: "Help",
                "error.config": "There was a configuration error",
                "error.required.authParams": 'Missing parameters for the configured authentication scheme - "OAUTH2"',
                "error.required.baseUrl": '"baseUrl" is a required widget parameter',
                "error.required.success": "A success handler is required",
                "error.required.el": '"el" is a required widget parameter',
                "error.unsupported.browser": "Unsupported browser",
                "error.unsupported.cors": "Unsupported browser - missing CORS support",
                "error.unsupported.localStorage": "Unsupported browser - missing localStorage support",
                "error.enabled.cors": "There was an error sending the request - have you enabled CORS?",
                "error.expired.session": "Your session has expired. Please try to log in again.",
                "error.auth.lockedOut": "Your account is locked. Please contact your administrator.",
                "error.oauth.idToken": "There was a problem generating the id_token for the user. Please try again.",
                "error.network.connection": "Unable to connect to the server. Please check your network connection.",
                "errors.E0000004": "Sign in failed!",
                "errors.E0000069": "Your account was locked due to excessive MFA attempts.",
                "errors.E0000047": "You exceeded the maximum number of requests. Try again in a while.",
                "oform.next": "Next",
                "oform.verify": "Verify",
                "oform.send": "Send",
                "oform.back": "Back",
                "oform.save": "Save",
                "oform.cancel": "Cancel",
                "oform.edit": "Edit",
                "oform.previous": "Previous",
                "oform.errorbanner.title": "We found some errors. Please review the form and make corrections.",
                "oform.errormsg.title": "Please review the form to correct the following errors:",
                "oform.error.unexpected": "There was an unexpected internal error. Please try again.",
                "model.validation.field.blank": "The field cannot be left blank",
                "model.validation.field.wrong.type": "The field is of the wrong type",
                "model.validation.field.invalid": "The field has an invalid value",
                "model.validation.field.value.not.allowed": "The field value is not allowed",
                "model.validation.field.array.minItems": "The array does not have enough items",
                "model.validation.field.array.unique": "The array can only have unique values",
                "model.validation.field.username": "Please check your username",
                "factor.totpSoft.oktaVerify": "Okta Verify",
                "factor.totpSoft.googleAuthenticator": "Google Authenticator",
                "factor.totpSoft.description": "Enter single-use code from the mobile app.",
                "factor.totpHard.rsaSecurId": "RSA SecurID",
                "factor.totpHard.symantecVip": "Symantec VIP",
                "factor.totpHard.description": "Enter a single-use code from a hardware token.",
                "factor.totpHard.yubikey": "Yubikey",
                "factor.totpHard.yubikey.description": "Insert your Yubikey and tap it to get a verification code.",
                "factor.oktaVerifyPush": "Okta Verify",
                "factor.push.description": "Use a push notification sent to the mobile app.",
                "factor.duo": "Duo Security",
                "factor.duo.description": "Use Push Notification, SMS, or Voice call to authenticate.",
                "factor.sms": "SMS Authentication",
                "factor.sms.description": "Enter a single-use code sent to your mobile phone.",
                "factor.securityQuestion": "Security Question",
                "factor.securityQuestion.description": "Use the answer to a security question to authenticate.",
                "mfa.challenge.verify": "Verify",
                "mfa.challenge.answer.placeholder": "Answer",
                "mfa.challenge.answer.tooltip": "Answer",
                "mfa.challenge.answer.showAnswer": "Show answer",
                "mfa.challenge.enterCode.placeholder": "Enter Code",
                "mfa.challenge.enterCode.tooltip": "Enter Code",
                "mfa.backToFactors": "Back to factor list",
                "mfa.phoneNumber.placeholder": "Phone number",
                "mfa.sendCode": "Send code",
                "mfa.sent": "Sent",
                "mfa.resendCode": "Re-send code",
                "mfa.scanBarcode": "Scan barcode",
                "mfa.noAccessToEmail": "Can't access email",
                "password.reset": "Reset Password",
                "password.oldPassword.placeholder": "Old password",
                "password.oldPassword.tooltip": "Old password",
                "password.newPassword.placeholder": "New password",
                "password.newPassword.tooltip": "New password",
                "password.confirmPassword.placeholder": "Repeat password",
                "password.confirmPassword.tooltip": "Repeat password",
                "password.error.match": "New passwords must match",
                "enroll.choices.title": "Set up multifactor authentication",
                "enroll.choices.description": "Your company requires multifactor authentication to add an additional layer of security when signing into your Okta account",
                "enroll.choices.optional": "You can configure any additional optional factor or click finish",
                "enroll.choices.list.setup": "Setup required",
                "enroll.choices.list.enrolled": "Enrolled factors",
                "enroll.choices.list.optional": "Additional optional factors",
                "enroll.choices.step": "{0} of {1}",
                "enroll.choices.setup": "Setup",
                "enroll.choices.submit.finish": "Finish",
                "enroll.choices.submit.configure": "Configure factor",
                "enroll.choices.submit.next": "Configure next factor",
                "enroll.securityQuestion.setup": "Setup secret question authentication",
                "enroll.sms.setup": "Receive a code via SMS to authenticate",
                "enroll.onprem.username.placeholder": "Enter {0} username",
                "enroll.onprem.username.tooltip": "Enter {0} username",
                "enroll.onprem.passcode.placeholder": "Enter {0} passcode",
                "enroll.onprem.passcode.tooltip": "Enter {0} passcode",
                "enroll.symantecVip.subtitle": "Enter Credential ID and two consecutive generated codes",
                "enroll.symantecVip.credentialId.placeholder": "Enter credential ID",
                "enroll.symantecVip.credentialId.tooltip": "Enter credential ID",
                "enroll.symantecVip.passcode1.placeholder": "Security code 1",
                "enroll.symantecVip.passcode1.tooltip": "Security code 1",
                "enroll.symantecVip.passcode2.placeholder": "Security code 2",
                "enroll.symantecVip.passcode2.tooltip": "Security code 2",
                "enroll.yubikey.title": "Setup Yubikey",
                "enroll.yubikey.subtitle": "Insert your Yubikey into a USB port and tap it to generate a verification code",
                "enroll.totp.title": "Setup {0}",
                "enroll.totp.selectDevice": "Select your device type",
                "enroll.totp.downloadApp": 'Download <a href="{0}" class="inline-link">{1} from the {2}</a> onto your mobile device.',
                "enroll.totp.installApp": "Install {0}",
                "enroll.duo.title": "Setup Duo Security",
                "enroll.totp.enterCode": "Enter code displayed from the application",
                "enroll.totp.setupApp": "Launch {0} application on your mobile device and select Add an account.",
                "enroll.totp.setupGoogleAuthApp": 'Launch {0}, tap the "+" icon, then select "Scan barcode".',
                "enroll.totp.cannotScan": "Can't scan?",
                "enroll.totp.refreshBarcode": "Refresh code",
                "enroll.totp.cannotScanBarcode": "Can't scan barcode?",
                "enroll.totp.manualSetupInstructions": "To set up manually enter your Okta Account username and then input the following in the Secret Key Field",
                "enroll.totp.sharedSecretInstructions": "Enter your Okta Account username and enter the following in the Secret Key Field",
                "enroll.totp.sendSms": "Send activation link via SMS",
                "enroll.totp.sendEmail": "Send activation link via email",
                "enroll.totp.setupManually": "Setup manually without push notification",
                "enroll.totp.enrollViaEmail.title": "Activation email sent!",
                "enroll.totp.enrollViaEmail.msg": "Open the email from your mobile device.",
                "enroll.totp.enrollViaSms.title": "SMS sent!",
                "enroll.totp.enrollViaSms.msg": "View the SMS on your mobile device.",
                "recoveryChallenge.sms.title": "Enter verification code sent via SMS",
                "mfa.factors.dropdown.title": "Select an authentication factor",
                "mfa.duoSecurity.push": "Push — {0}",
                "mfa.duoSecurity.sms": "SMS — {0}",
                "mfa.duoSecurity.call": "Call — {0}",
                "mfa.challenge.title": "Enter your {0} passcode",
                "mfa.challenge.orEnterCode": "Or enter code",
                "oktaverify.send": "Send Push",
                "oktaverify.sent": "Push sent!",
                "oktaverify.rejected": "You have chosen to reject this login.",
                "oktaverify.timeout": "Your push notification has expired.",
                "primaryauth.title": "Do Not Sign In",
                "primaryauth.username.placeholder": "Username",
                "primaryauth.username.tooltip": "Username",
                "primaryauth.password.placeholder": "Password",
                "primaryauth.password.tooltip": "Password",
                "primaryauth.submit": "Sign In",
                "primaryauth.newUser.tooltip": "This is the first time you are connecting to {0} from this browser",
                "primaryauth.newUser.tooltip.close": "Close",
                "password.forgot.email.or.username.placeholder": "Email or Username",
                "password.forgot.email.or.username.tooltip": "Email or Username",
                "password.forgot.sendText": "Reset via SMS",
                "password.forgot.sendEmail": "Reset via Email",
                "password.forgot.emailSent.title": "Email sent!",
                "password.forgot.emailSent.desc": "Email has been sent to {0} with instructions on resetting your password.",
                "password.forgot.question.title": "Answer Forgotten Password Challenge",
                "password.forgot.question.submit": "Reset Password",
                "password.reset.title": "Reset your Okta password",
                "password.expired.submit": "Change Password",
                "password.expired.title": "Your Okta password has expired",
                "password.expiring.later": "Remind me later",
                "password.expiring.title": "Your password will expire in {0} days",
                "password.expiring.today": "Your password will expire later today",
                "password.expiring.subtitle": "When password expires you may be locked out of Okta Mobile, mobile email, and other services.",
                "account.unlock.title": "Unlock account",
                "account.unlock.email.or.username.placeholder": "Email or username",
                "account.unlock.email.or.username.tooltip": "Email or username",
                "account.unlock.sendText": "Send SMS",
                "account.unlock.sendEmail": "Send Email",
                "account.unlock.emailSent.title": "Email sent!",
                "account.unlock.emailSent.desc": "Email has been sent to {0} with instructions on unlocking your account.",
                "account.unlock.question.title": "Answer Unlock Account Challenge",
                "account.unlock.question.submit": "Unlock Account",
                "contact.support": "If you didn't provide a secondary email address or don't have access to email, please contact your administrator at {0}",
                "socialauth.divider.text": "OR",
                "socialauth.facebook.label": "Sign in with Facebook",
                "socialauth.google.label": "Sign in with Google",
                "socialauth.linkedin.label": "Sign in with LinkedIn",

These are all default values. You can override these values in the labels part of the log in widget. If you do not override the value default from above will be used.
Adrian HaisanAdrian Haisan (Okta, Inc.)
Please feel free to open a Support Ticket if there are any questions. Thank you!
Thomas ChornThomas Chorn

Hi Adrian,

I think I may have to open a support ticket.  From what I can tell, the issue is that the widget handles a status of MFA_REQUIRED from the authn call correctly.  However, this only applies if Okta can determine the user must always provide MFA on the main Okta login.  If a subset of apps require MFA, the authn API will not force MFA because it may not be needed.  Since this is a single page application, the widget calls the authorize API to get a token.  Because the app requires MFA and MFA was not performed on the session yet, the authorize API returns the error status, 'login_required'.  This is because the authorize API has the client_id parameter, so it knows what app is to be accessed and what the application requirements for access are.  
 

So, the problem is that the widget should be able to handle the 'login_required' error from the authorize API for a single page application.  The obvious solution would be to put up the MFA form as if MFA_REQUIRED was returned on the authn API.  This may suffice most of the time, but has issues if the user has not already been enrolled into the MFA.  So, the obvious solution may have a caveat (e.g. only works if the user is already enrolled), but would be a huge step in the right direction.

Ajay Singh AdminAjay Singh Admin
Was this issue resolved? I am facing same issue.
Matt ChristensenMatt Christensen
There are a few places that you need to configure Multifactor authentication(MFA) in Okta.  In the Classic UI under Security->Authentication->SignOn.  You need to create a new Okta Sign-On Policy, add a rule and make sure the "Prompt for Factor" is checked.  You then have the choice of, Per Device, Every Time, Per Session.  You select one of these depending on your security requirements.  This selection is important as it may conflict with the application MFA settings.

You'll also need to go to Security->Mulitfactor->Factor Enrollment and create a new policy or edit the default and ensure that you have atleast one Eligle factor as 'required'.  I'd suggest starting with SMS.  Make sure that you have the appropriate groups assigned as well.  To start maybe just assign "everyone" and then widdle down after you get it working.

Next you need to configure multifactor for the application.  Go to Applications->Applications and select your application.   Then select the "Sign On".  At the bottom of the page you need add a rule that will allow for MFA.  After giving your access rule a name and adding any other required restrictions, you'll need to add an access rule, check off the "Prompt for factor" and select how often you want the user to be asked for another multifactor.  This is the part that is tricky, if you selected Per device in the above and then here select "once a month", it possible that it won't work at all or that you get authenticated and then get this error a month later again.  In my opinon to have two combination choices.  
1) "Every Time" and a "Once a day/week/month" option
or
2)"Per Device" and then "Only once"

This is what I found anyway.  Whatever you do don't do what I did....Select "Every time and one month", get authenticated and then comeback and change the Authentication to "per Device" and then get the error a month later after you've completely forgetten how it was configured