OIDC with PKCE on Okta SSO

[esn89]

I am on Kargo 1.7.5, and I am not running any dex containers. I am using the API server to do my SSO as follows:

Followed this guide: https://docs.kargo.io/operator-guide/security/openid-connect/#registering-kargo-as-a-client

My settings are:

        api:
          oidc:
            dex:
              enabled: false
            enabled: true
            issuerURL: "https://mycompany.okta.com"
            clientID: "<REMOVED>"
            additionalScopes:
            - groups
            usernameClaim: email
            admins:
              claims:
                email:
                  - [email protected]

I can see the "SSO Login" button.

However,

I am getting this error when I try to login:

OIDC: {"cause":{"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."},"code":"OAUTH_RESPONSE_BODY_ERROR","error":"invalid_client","status":401,"error_description":"Client authentication failed. Either the client or the client credentials are invalid.","name":"H5i"}

I am wondering what else I could be missing. Is it the clientSecret? But I was reading that PKCE eliminates the need for that.

[krancour]

I'm not super familiar with Okta, but I have a vague recollection from the last time I used it that there's some "public client" box (or something like that) that you need to check to enable the client to work without a secret.

[esn89]

Is this on Okta side?

[krancour]

Yes. Or the option might be called something like "Single-Page Application."

Bottom line is you need to tell Okta that the client doesn't have a secret.