Problem statement
After switching our tenant to use DUO v4 from DUO v2, the following log-in error occurred:
{“error”: “invalid_request_object”, “error_description”: “login_hint field is required”}
The error occurs on the following call:
GET https://api-8999f291.duosecurity.com/oauth/v1/authorize
Solution
This is due to the Okta application type and not a standard Web SDK. To fix this issue, please create a new Web SDK application type and update the keys in Auth0 accordingly. Here are the steps:
- Duo Admin Panel > Applications > Protect an Applications > WebSDK
- Name the application appropriately
- Ensure the application settings are the same as the Okta application you are already using
- Ensure the applied policies are the same as the Okta application you are already using
- Auth0 Console > MFA > Duo: Update the ikey/skey (API host will be the same) to point to the new Duo application
- Auth0 Console > Tenant Settings > Migration >Disable mfa_use_duo_traditional deprecation.
Note: The new Duo application will have the new The Universal Prompt enabled by default, but if Duo detects Web SDK 2 the auth will gracefully fall back to the Traditional Prompt until the mfa_use_duo_traditional deprecation is disabled. This means that the change can be done safely without disruption.