When a user attempts to sign in using a Social Sign-In Identity Provider (IdP) on a tenant where the authentication policy requires Multi-Factor Authentication (MFA), the redirect URI receives an error instead of prompting for MFA. The following error is returned:

error=interaction_required&error_description=Your+client+is+configured+to+use+the+interaction+code+flow+and+user+interaction+is+required+to+complete+the+request

This prevents the user from completing the MFA challenge as expected.

• Okta Identity Engine (OIE)

• Multi-Factor Authentication (MFA)

• Social Identity Providers

• Okta Sign-In Widget

This error occurs because the transaction state, which includes the requirement for an MFA challenge after the initial IDP authentication, is not being correctly passed back to the Okta Sign-In Widget. The widget requires this state to resume the transaction and prompt the user for the required authentication factor.

When a user is redirected back to the application redirect URL after signing in with a third-party IdP, the application must evaluate the callback parameters:

1. Check the callback for an interaction_code parameter. If present and no further input is required, the authentication process is complete.

2. Identify if the callback contains an error query parameter with the value interaction_required.

3. Render the Sign-in Widget again if the interaction_required error is present.

4. Use the same configuration for the second render as the first render.

5. The widget automatically proceeds with the transaction once reloaded.

NOTE: Both server-side web applications and SPAs should follow this logic to ensure the authentication flow continues correctly.

Related References

• Social/IdP callback
• Implement Social/IdP Callback