I am migrating from google oauth to okta oauth. I am sending the following request to okta (using passport-okta-oauth20):
new OktaStrategy(
{
audience: 'https://[company].okta.com',
clientID: process.env.OKTA_CLIENTID,
clientSecret: process.env.OKTA_SECRET,
scope: ['openid', 'email', 'profile'],
callbackURL: process.env.GOOGLE_CLIENT_CALLBACK,
},
(obviously one of my variables is yet to be renamed, please ignore that; it contains the full absolute URL for the environment with my callback endpoint attached).
However I'm getting the following back to my callback url:
https://[website]/callback?state=[state]&error=invalid_scope&error_description=Requests+for+ID+tokens+or+access+tokens+with+OpenID+scopes+require+the+%27openid%27+scope.
I am sending the openid scope as you can see above. What am I doing wrong? Is this something on okta's side not allowing me the openid scope or am I crafting the request wrong somehow?
ETA: This is definitely a passport.js problem, I captured the outgoing request as:
https://[company].okta.com/oauth2/v1/authorize?response_type=code&redirect_uri=https%3A%2F%2F[website]%2Fcallback&scope=email%20profile&state=1PjTs0yACCrPhIhTK3YW0yJq&client_id=[snipped]
I had scope defined in two places:
router.get('/login', passport.authenticate('okta', {
scope: [ 'email', 'profile'],
}), (req, res) => res.redirect('/'));
Changed that to include openID