This article describes the error that occurs when an application attempts to authenticate a user without user interaction, but no active session exists. The following error message appears in the browser console logs when using an Okta SDK:
The client specified not to prompt, but the user is not logged in.
-
OpenID Connect (OIDC)
- OAuth2.0
- Okta Identity Engine (OIE)
- Okta Classic Engine
This error occurs because the client application sends an authorization request to the Identity Provider (IdP) containing the parameter prompt=none. This parameter instructs the IdP to process the request without displaying any user interface, such as a login page or consent screen. However, if the user does not have an existing active session with the IdP, the request fails because authentication cannot be completed silently.
To resolve this issue, the client application must handle the login_required error response returned by the IdP and initiate a new authentication request that allows for user interaction.
- Handling the Error in the Okta SDKs
When using the Okta Auth JS SDK, ensure that the code catches errors from silent authentication calls. If the error code is login_required, the application should redirect the user to a standard login flow or open a pop-up to re-establish the session.
For detailed implementation patterns and code snippets, refer to the following resources:
-
-
Silent Authentication: See the token.getWithoutPrompt options for handling background token requests.
-
Redirect Options: Review the Authorize options to understand how to adjust the
promptparameter for interactive logins.
-
- Verify the cookie settings.
If this error occurs frequently, even when users appear to have active sessions, verify that third-party cookies are not being blocked by the browser. Silent auth requests (prompt=none inside if an iFrame) rely on access to Okta domain cookies via an iFrame, which many modern browsers restrict by default.
