JieH.83243 (Customer) asked a question.
When trying to use username/password to get tokens, it failed with error
"The client specified not to prompt, but the user is not logged in."
(Some information below is redacted.)
Steps:
First, using authn api with username/password
Request: https://mycorp.okta.com/api/v1/authn
Response: {
"_embedded" : {
"user" : {
"id" : "00u1uh2lmxApvW7",
"profile" : {
"login" : "myname@mycorp.com",
"firstName" : "first name",
"lastName" : "last name",
"locale" : "en_US",
"timeZone" : "America/Los_Angeles"
}
}
},
"_links" : {
"cancel" : {
"href" : "https://mycorp.okta.com/api/v1/authn/cancel",
"hints" : {
"allow" : [ "POST" ]
}
}
},
"sessionToken" : "201118BcixzEN-qtBAw0UBpjMvrxXPxJTrPJueZ0LZGVtQM_oBz",
"expiresAt" : "2022-10-18T00:54:15.000Z",
"status" : "SUCCESS"
}
Second, using /authorize api to get code
Response: {
"state" : "nmLVkziOXw_V15I1ts1WzQ",
"error" : "login_required",
"error_description" : "The client specified not to prompt, but the user is not logged in."
}
The same steps and codes worked for me on free account. But when switch to MYCORP (a paid account), it failed with upper error. The filled information are correct. (Such as client id, redirect url, etc..)
What I doubt it may be caused by company wide SSO/MFA settings. But since /authn API returns SUCCESS, my assumption is that the return sessionToken should work for /authorize.
Anything wrong? (I followed the help on https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curlPostman?language=en_US)
Thanks
Hello @JieH.83243 (Customer) The Okta Community Catalysts Program is now live.
This issue was discussed here as well, please see below:
https://devforum.okta.com/t/the-client-specified-not-to-prompt-but-the-client-app-requires-re-authentication-or-mfa/11165/11
Please also review:
https://github.com/okta/okta-oidc-js/issues/460
Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
The October issue of the Okta Community is here and packed with tips on certification, how to earn badges, and new releases. Let us help you stay connected.
Hi, Paul,
I read that link you gave but I do not see how it resolves my problem.
My goal is to get an access token (WITHOUT browser involved). That is why I followed How to get tokens for an OIDC application without a browser.
After getting a sessionToken successfully (with /authn api), it should be valid as input of /authorize.
But unfortunately, it seems not. What is the extra step should I take to make it valid? Using browser is not an option. If you need extra information for how I repeat this problem, please let me know.
Thanks
Jie Huang
Hello @JieH.83243 (Customer) In this case, my advice would be to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
https://devforum.okta.com/
Two of our production users ran into this issue since yesterday ... In our case, both users is on Chrome 106.0.0 / Window 10. Everyone else can just log in fine.