Okta Workforce/OIDC connection returning 403

Problem statement

We are trying to set up an enterprise connection with a client using Okta Workforce.
The client application and Auth0 are all set correctly according to the documentation:

The user is able to login in with Okta, but once they are redirected to Auth0, we get the following error:

{
...
"type": "f",
"description": "expected 200 OK, got: 403 Forbidden",
...
"error": {
"message": "expected 200 OK, got: 403 Forbidden",
"oauthError": "access_denied",
"type": "oauth-authorization"
},
...
}

Cause

When Okta’s /oauth2/v1/token endpoint returns a 403 (or even just the Okta domain itself, all endpoints will be affected for the org) tends to be related to IP blocklists. Auth0’s infrastructure is not blocking Okta, so it seems to be Okta blocking access to this endpoint by a regional type of restriction.

Solution

This is not something we can confirm or resolve from our side, unfortunately. We highly recommend that you raise a ticket with Okta Support. They will be able to confirm if they are blocking traffic from the specific location where your Auth0 tenant is hosted, and remove that block.