in 4.2 it's possible to login with Okta. Login mail fail, check below.
Error 400 bad request
Groups are not configured for this user
URL redirection and login problems
Failed to exchange the authorization code for JWT tokens
Failed to prepare Authorization code flow parameters
Failed to build Authorization code flow URL
Login attempt couldn't be completed due to a session validation issue
Invalid response from the identity provider received
Unable to update configuration settings with metadata from the identity provider
API access with Bearer token errors
User is not assigned to the client application
The 'redirect_uri' parameter must be a Login redirect URI in the client app settings
Policy evaluation failed for this request, please check the policy configurations
One or more scopes are not configured for the authorization server resource
Error 400 bad request
If you encounter the error shown in the screenshot below, it means that Okta received an unknown sign-in redirect URI and rejected your authentication request. Recheck the created application in Okta to eliminate these possible reasons:
- wrong redirect URI link. it should be the save as configured in MC advanced settings or bear your device address.
- a non-existent client ID during the Okta integration on the MC side.
- the Otka application is deactivated.
Groups are not configured for this user or are not supported by the Management Console
Recheck the scopes and claims in the Okta Authorization server.
- Scope names don't match. MC requires sсopes “user_groups”, “openid”, “profile”, “offline_access”, “email” strictly.
- The “roles” claim was applied to access token instead of id token. MC will attempt to find the "roles" claim in the received JWT token and will throw an error if it is not included.
- The "roles" claim has a very strict group filter (e.g., a regex or a specific value match).
- The “roles” claim was not added to the “user_groups” scope
- Check that Okta groups are registered on MC
URL redirection and login problems
Authorization after redirection to the MC from Okta failed
The user attempted to log in with Okta but was redirected to MC after more than 10 minutes (e.g., they took a very long time to enter their password). Alternatively, users may have tried logging in using outdated authorization links to Okta.
Failed to authenticate the user after redirection from Okta to MC because the Okta configuration in MC has been deactivated or updated.
After 'Login with Okta' is clicked and authorization on Okta is completed, the user may be silently redirected to the login page again if Okta is deactivated in MC.
Failed to exchange the authorization code for JWT tokens
Depending on the error message itself, please eliminate the blocking factor:
- Received error: "invalid_request (The authorization server id is invalid.)"
Authorization server had been deactivated by the moment of login
- Received error: "invalid_client (The client secret supplied for a confidential client is invalid.)".
Client secret of the application is invalid on MC side
Failed to prepare Authorization code flow parameters: Failed to generate OIDC login redirect URL: Invalid URL
Failed to prepare parameters for Okta authorization endpoint, e.g. Advanced settings -> MC address is invalid. Please check Management Console address in the Advanced Settings
Failed to build Authorization code flow URL
Failed to build authorization endpoint URL, e.g. Okta configuration was disabled during the authorization
Login attempt couldn't be completed due to a session validation issue. CSRF tokens mismatch
CSRF tokens mismatch, e.g. some Okta internal issues or CSRF attack.
Invalid response from the identity provider received
The integrity of the authorization response from the Okta was broken, e.g. Okta internal issue. Try signing in again or contact Okta administrator
Unable to update configuration settings with metadata from the identity provider
The error appears on Okta connection dialog in MC. Depending on the error message, please eliminate the blocking factor:
- Received error: “connect ECONNREFUSED 127.0.0.1:443”.
Unknown organization domain was configured (network error or invalid configuration of Okta on MC side)
- Received error: “Identity provider returned error: Not found: Resource not found.
An unknown authorization server was configured (network error or invalid configuration of Okta on MC side)
- Received error: "Failed to parse OAuth2 configuration metadata".
The integrity of the response with metadata from the Okta is broken (User must contact the okta administrator)
API access with Bearer token errors
Invalid Authorization Header Format: Please ensure that API authorization is enabled for your identity provider or verify that a valid Bearer token is issued for the correct client
The Okta API is disabled, or the issuers of the Bearer token do not match. For example, the Bearer token was generated for application X, but the Management Console is integrated with application Y
Failed to decode the Bearer token.
depending on the error message, eliminate the blocking factor:
- jwt audience invalid (Invalid audience, check Audience of your Authorization server).
- error in secret or public key callback: getaddrinfo ENOTFOUND {domain}.okta.com (Network connectivity problem)
- jwt expired (The JWT token expired
- jwt subject invalid. expected: {ClientID} (invalid clientID. Recheck Client ID in the okta configuration, or the token - ensure it's issued for this client application)
The token does not contain any supported roles
The roles supported by the Management Console were not applied to the token. This error may also occur if the scopes have an invalid format. Please verify the scopes included during Bearer token generation.
User is not assigned to the client application
User is not added to the user group applied to your application in Okta.
User group is not applied to your application
The 'redirect_uri' parameter must be a Login redirect URI in the client app settings
Make sure you configured Sign-in redirect URIs in Okta application.
Make sure at least one of Sign-in redirect URIs matches your MC address (https://<IP>:8443) or address configured via Advanced settings -> Management Console address.
Policy evaluation failed for this request, please check the policy configurations
MC is attempting to access Okta resources that are restricted for your user due to access policy settings in the Authorization Server configuration.
- Application is not assigned to the Authorization server
- No access policy was added to the Authorization server
- No access policy rule is configured for your user, or the existing rule does not allow the user to connect to the Authorization server
- user_groups, offline_access, openid, profile, email scopes are not added to your policy rule
One or more scopes are not configured for the authorization server resource
Authorization code flow (User):
User_groups scope was not added to this Authorization server
To resolve this, add the scope to the list of known scopes on the Okta authorization server. Then, navigate to Authorization Server → Access Policies → [rule responsible for the authorization code flow], and include this scope in the list of allowed scopes.
Client credentials code flow (API):
This error may occur when attempting to generate a bearer token. The issue arises because the scope you're trying to include in the token is not recognized by the Okta authorization server.
To resolve this, add the scope to the list of known scopes on the Okta authorization server. Then, navigate to Authorization Server → Access Policies → [rule responsible for the client credentials flow], and include this scope in the list of allowed scopes.