Error Received After Switching Tenant from DUO v2 to DUO v4 Loading

Problem statement

After switching our tenant to use DUO v4 from DUO v2, the following log-in error occurred:

{“error”: “invalid_request_object”, “error_description”: “login_hint field is required”}

The error occurs on the following call:

GET https://api-8999f291.duosecurity.com/oauth/v1/authorize

Solution

This is due to the Okta application type and not a standard Web SDK. To fix this issue, please create a new Web SDK application type and update the keys in Auth0 accordingly. Here are the steps:

  1. Duo Admin Panel > Applications > Protect an Applications > WebSDK
  2. Name the application appropriately
  3. Ensure the application settings are the same as the Okta application you are already using
  4. Ensure the applied policies are the same as the Okta application you are already using
  5. Auth0 Console > MFA > Duo: Update the ikey/skey (API host will be the same) to point to the new Duo application
  6. Auth0 Console > Tenant Settings > Migration >Disable mfa_use_duo_traditional deprecation.

Note: The new Duo application will have the new The Universal Prompt enabled by default, but if Duo detects Web SDK 2 the auth will gracefully fall back to the Traditional Prompt until the mfa_use_duo_traditional deprecation is disabled. This means that the change can be done safely without disruption.