When an OpenID Connect (OIDC) application returns an error during the authorization request, Okta redirects users back to the application instead of displaying Okta-hosted error pages. This occurs because OIDC specifications require Okta to return all authorization errors to the client via the Redirect URI, including errors like user_not_assigned. To handle this behavior, administrators must configure the application to catch these errors and redirect users to a custom troubleshooting page.
According to OIDC specifications, Okta returns all errors that occur during the authorization request (/authorize endpoint) to the client application via the Redirect URI. The only exception is when the provided Redirect URI is invalid. This specification applies to all authorization errors, including the user_not_assigned error, which occurs when the authenticated user lacks an assignment to the target application.
Why does Okta redirect users to the application during an error?
By default, Okta redirects the user back to the application when an authorization error occurs to comply with OIDC specifications.
Administrators must configure custom error pages for OIDC applications.
To redirect users to a specific troubleshooting page within the application, configure the application code to catch the errors and generate an error page. Include remediation steps for end users on this page, such as recommendations to contact the Okta Administrator for assistance. Create a custom redirect that routes users to this troubleshooting page when the application encounters an error.
