Issues when Creating a Front Channel Okta Workforce Connection

Knowledge Articles
, , ,
1

Overview

There are two issues that occur when trying to create a front channel Okta Workforce Connection.

  1. Cannot create a front-channel Okta Workforce Connection through the Dashboard.
  2. After creating a front-channel Okta Workforce Connection through the Management API, an error is returned when using it. Error! Something happened while trying to create your connection: client_secret is required when the type is “back_channel”

Applies To

  • Okta Workforce Connection
  • Front Channel

Cause

Auth0 CIC is capable of implementing OAuth 2.0 Authorization Code flow without needing to pass tokens through the front end, therefore, Auth0 uses a Back Channel flow.

Solution

Front Channel flows with OKTA Workforce connections are not allowed. Since Auth0 uses the back-channel flow, the Auth0 Dashboard will not allow the creation of an Okta workforce connection without passing an appropriate Client Secret.

If using the Management API, it will allow for creating the connection without passing the Client Secret. However, it will result in an error when attempting to use the connection later.

If the client is a regular web app executing on a server, then the Authorization Code Flow is the flow to be used. Using it, the client can retrieve an Access Token and, optionally, a Refresh Token. It is considered the safest choice since the Access Token is passed directly to the web server hosting the Client, without going through the user’s web browser and risking exposure. To learn how this flow works and how to implement it see Authorization Code Flow.

The front channel flow is used by the Client Application to obtain an Authorization Code grant. The back channel is used by the client application to exchange the authorization code grant for an access token (and optionally a refresh token). It assumes the Resource Owner and Client Application are on separate devices. It’s the most secure flow because it is possible to authenticate the client to redeem the authorization grant, and tokens are never passed through a user-agent.

OAuth 2.0 Implicit flow is a front channel flow that is no longer recommended. Info on that here.

Related References: