Okta Workforce or OIDC Connection Returning 403

Last Updated Aug 28, 2024

Overview

When setting up an Enterprise Connection with a client using Okta Workforce the client application and Auth0 are configured properly according to this documentation, a 403 error is returned.

The user is able to login to Okta, but once they are redirected to Auth0, the following error is received:

{
  ...
  "type": "f",
  "description": "expected 200 OK, got: 403 Forbidden",
  ...
  "error": {
    "message": "expected 200 OK, got: 403 Forbidden",
    "oauthError": "access_denied",
    "type": "oauth-authorization"
  },
  ...
}

Cause

When Okta’s /oauth2/v1/token endpoint returns a 403, it tends to be related to IP blocklists. Auth0’s infrastructure is not blocking Okta, so it is likely to be Okta blocking access to this endpoint by a regional type of restriction .

This restrictions may also affect the Okta Domain itself or other endpoints.

Solution

Since the block is not being performed on the Auth0 side, this is not something we can confirm or resolve.

We recommend raising a ticket to Okta WIC Support. They will be able to confirm if they are blocking traffic from the specific location where the Auth0 tenant is hosted, and remove that block.