This article outlines the common scenarios leading to the following error response from Okta's /authorize endpoint:
login_required
- OpenID Connect
- Single Sign On
In an OpenID Connect (OIDC) authentication flow (while using Okta), the login_required error, typically returned as a query parameter in a redirect from the /authorize endpoint, signifies that the Authorization Server cannot proceed with the authentication request without requiring user interaction for a login.
The main root cause is the "prompt=none" parameter included in the /authorize request and:
- There is no active Okta session.
or - There is a policy requiring reauthentication.
Another possible root cause (associated with the same parameter) is the silent re-authentication (using the /authorize endpoint) without using refresh tokens. An authorization request is being triggered in the background, including the same "prompt=none" parameter, with the purpose of retrieving a new Okta session, before the existing Okta session expires.
- If login_required is received when
"prompt=none"is used, the application should handle this specific error scenario.
A suggestion would be to prompt the user for authentication, or the error can be handled differently based on the requirements/app logic.
- Silent reauthentication can be achieved using refresh token functionality (instead of relying on the /authorize endpoint with "prompt=none" included in the request).
-
An alternative solution (only available on Okta Identity Engine):
-
- Interaction code flow can be used instead of authorization code flow for embedded Okta SDK use cases.
