The Okta Browser Plugin fails to inject credentials into Secure Web Authentication (SWA) applications. This issue occurs when the authentication policy for the Okta Browser Plugin requires multifactor authentication (MFA), which interrupts the silent authentication flow. Resolve this issue by updating the Okta Browser Plugin authentication policy to require only a password.
When this issue occurs, the Okta Browser Plugin background logs display the following error:
shared.js:38 815(ms): AuthClient::handleLoginRequiredError: authorize returns login_required error, details: login_required: The client specified not to prompt, but the user is not logged in.
Additionally, the System Log displays a challenge event for the Okta Browser Plugin:
Evaluation of sign-on policy CHALLENGE Okta Browser Plugin (AppInstance) Catch-all Rule (Rule)
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Browser Plugin
- Secure Web Authentication (SWA)
The authentication policy assigned to the Okta Browser Plugin application requires MFA. The Okta Browser Plugin relies on a silent authentication flow to retrieve and inject credentials. When the policy prompts for an additional factor, the silent flow fails, preventing the plugin from filling in the credentials.
How is the issue of the Okta Browser Plugin failing to inject credentials into SWA applications resolved?
Update the authentication policy for the Okta Browser Plugin in the Okta Admin Console to require only a password by following these steps:
- In the Okta Admin Console, navigate to Security > Authentication Policies.
- Select the Okta Browser Plugin policy.
- Select the Rules tab.
- Click Edit on the Catch-all Rule or the specific rule affecting the authentication flow.
- Locate the User must authenticate with dropdown menu.
- Select Password.
- Click Save.
