Okta doesn't return select-authenticator-unlock-account in the response.

[cgstaber]

Describe the bug

About a month ago, when you entered the wrong username 6 times (defined in policy), the SDK would throw an error that the account was locked. I put code in to catch it and then handle it.

Today, it not only doesn’t throw an error, it acts like the request succeeded and returns nothing that indicates the account is locked. All of the step objects point to the next thing being “select-authenticator-authenticate” instead of “select-authenticator-unlock-account”. Attempting to select an authenticator as a next step results in a 500 response. Additionally, when I watch the responses in the Hosted Okta widget, it gets the correct unlock-account step and the widget notifies the user the account is locked. Here is the response the SDK shows when entering the wrong password the 6th time and the account is locked:
{ "status": "PENDING", "meta": { "issuer": https://signin-stg.churchofjesuschrist.org/oauth2/default, "urls": { "issuer": https://signin-stg.churchofjesuschrist.org/oauth2/default, "authorizeUrl": https://signin-stg.churchofjesuschrist.org/oauth2/default/v1/authorize, "userinfoUrl": https://signin-stg.churchofjesuschrist.org/oauth2/default/v1/userinfo, "tokenUrl": https://signin-stg.churchofjesuschrist.org/oauth2/default/v1/token, "revokeUrl": https://signin-stg.churchofjesuschrist.org/oauth2/default/v1/revoke, "logoutUrl": https://signin-stg.churchofjesuschrist.org/oauth2/default/v1/logout }, "clientId": "0oao7qp7qd1hZ1h5N0h7", "redirectUri": https://account-stage.churchofjesuschrist.org/api/auth/callback, "responseType": "code", "scopes": [ "openid", "profile", "offline_access", "cmisid" ], "state": "GYAqw5HkSRGWY5MZD3YH7c7bs4P4zB8lbj9Y7anDWe9Rbl8GSy1jA6M6l4giNLiJ", "nonce": "JWrjV5AEcbxpkx7Jjkc4yYLsVB99a1O1tzHSK20a0Fd0ZEE5Vncw1Q8jg6DN30Bd", "ignoreSignature": false, "codeVerifier": "c15ec256c2b8cea2695a079d2b15e9e255972ed1177", "codeChallengeMethod": "S256", "codeChallenge": "SLKr7ki3M7MHZWCKSS9jEQHqUCgTtBqTtjPwQMEgAoM", "flow": "authenticate", "withCredentials": true, "interactionHandle": "eyJ6aXAiOiJ..." }, "enabledFeatures": [], "availableSteps": [ { "name": "select-authenticator-authenticate", "inputs": [ { "name": "authenticator", "type": "string", "options": [ { "label": "Email", "value": "okta_email" }, { "label": "Google Authenticator", "value": "google_otp" }, { "label": "Okta Verify", "value": "okta_verify" }, { "label": "Phone", "value": "phone_number" } ] } ] }, { "name": "cancel" } ], "nextStep": { "name": "select-authenticator-authenticate", "inputs": [ { "name": "authenticator", "type": "string", "options": [ { "label": "Email", "value": "okta_email" }, { "label": "Google Authenticator", "value": "google_otp" }, { "label": "Okta Verify", "value": "okta_verify" }, { "label": "Phone", "value": "phone_number" } ] } ] }, "actions": {}, "context": { "version": "1.0.0", "stateHandle": "02.id.CT30...", "expiresAt": "2025-02-10T16:47:17.000Z", "intent": "LOGIN", "authenticators": { "type": "array", "value": [ { "type": "email", "key": "okta_email", "id": "aut1qzlszifPf08FM0h8", "displayName": "Email", "methods": [ { "type": "email" } ], "allowedFor": "none" }, { "type": "app", "key": "google_otp", "id": "aut1qzlszkmOMnG0d0h8", "displayName": "Google Authenticator", "methods": [ { "type": "otp" } ], "allowedFor": "none" }, { "type": "app", "key": "okta_verify", "id": "aut1n8a5emohI0op90h8", "displayName": "Okta Verify", "methods": [ { "type": "push" } ], "allowedFor": "none" }, { "type": "phone", "key": "phone_number", "id": "aut1qzlsziv5mUEX50h8", "displayName": "Phone", "methods": [ { "type": "sms" } ], "allowedFor": "none" } ] }, "authenticatorEnrollments": { "type": "array", "value": [ { "type": "email", "key": "okta_email", "displayName": "Email", "methods": [ { "type": "email" } ] }, { "type": "app", "key": "google_otp", "displayName": "Google Authenticator", "methods": [ { "type": "otp" } ] }, { "type": "app", "key": "okta_verify", "displayName": "Okta Verify", "methods": [ { "type": "push" } ] }, { "type": "phone", "key": "phone_number", "displayName": "Phone", "methods": [ { "type": "sms" } ] } ] }, "user": { "type": "object", "value": { "identifier": "cstaber2" } }, "app": { "type": "object", "value": { "name": "oidc_client", "label": "Church Account", "id": "0oao7qp7qd1hZ1h5N0h7" } }, "authentication": { "type": "object", "value": { "protocol": "OAUTH2.0", "issuer": { "id": "ausmi1mmnznzwxVOR0h7", "name": "default", "uri": https://signin-stg.churchofjesuschrist.org/oauth2/default }, "request": { "max_age": -1, "scope": "openid profile offline_access cmisid", "response_type": "code", "redirect_uri": https://account-stage.churchofjesuschrist.org/api/auth/callback, "state": "GYAqw5HkSRGWY5MZD3YH7c7bs4P4zB8lbj9Y7anDWe9Rbl8GSy1jA6M6l4giNLiJ", "code_challenge_method": "S256", "nonce": "JWrjV5AEcbxpkx7Jjkc4yYLsVB99a1O1tzHSK20a0Fd0ZEE5Vncw1Q8jg6DN30Bd", "code_challenge": "SLKr7ki3M7MHZWCKSS9jEQHqUCgTtBqTtjPwQMEgAoM", "response_mode": "query" } } }, "headers": { "cache-control": "no-cache, no-store", "content-type": "application/json;okta-version=1.0.0", "expires": "0", "pragma": "no-cache" } }, "neededToProceed": [ { "rel": [ "create-form" ], "name": "select-authenticator-authenticate", "href": https://signin-stg.churchofjesuschrist.org/idp/idx/challenge, "method": "POST", "produces": "application/ion+json; okta-version=1.0.0", "value": [ { "name": "authenticator", "type": "object", "options": [ { "label": "Email", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1qzlszifPf08FM0h8", "mutable": false }, { "name": "methodType", "required": false, "value": "email", "mutable": false } ] } }, "relatesTo": { "type": "email", "key": "okta_email", "displayName": "Email", "methods": [ { "type": "email" } ] } }, { "label": "Google Authenticator", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1qzlszkmOMnG0d0h8", "mutable": false }, { "name": "methodType", "required": false, "value": "otp", "mutable": false } ] } }, "relatesTo": { "type": "app", "key": "google_otp", "displayName": "Google Authenticator", "methods": [ { "type": "otp" } ] } }, { "label": "Okta Verify", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1n8a5emohI0op90h8", "mutable": false }, { "name": "methodType", "type": "string", "required": false, "options": [ { "label": "Get a push notification", "value": "push" } ] } ] } }, "relatesTo": { "type": "app", "key": "okta_verify", "id": "aut1n8a5emohI0op90h8", "displayName": "Okta Verify", "methods": [ { "type": "push" } ], "allowedFor": "none" } }, { "label": "Phone", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1qzlsziv5mUEX50h8", "mutable": false }, { "name": "methodType", "type": "string", "required": false, "options": [ { "label": "SMS", "value": "sms" } ] } ] } }, "relatesTo": { "type": "phone", "key": "phone_number", "displayName": "Phone", "methods": [ { "type": "sms" } ] } } ] }, { "name": "stateHandle", "required": true, "value": "02.id.CT306...", "visible": false, "mutable": false } ], "accepts": "application/json; okta-version=1.0.0" } ], "rawIdxState": { "version": "1.0.0", "stateHandle": "02.id.CT3...", "expiresAt": "2025-02-10T16:47:17.000Z", "intent": "LOGIN", "remediation": { "type": "array", "value": [ { "rel": [ "create-form" ], "name": "select-authenticator-authenticate", "href": https://signin-stg.churchofjesuschrist.org/idp/idx/challenge, "method": "POST", "produces": "application/ion+json; okta-version=1.0.0", "value": [ { "name": "authenticator", "type": "object", "options": [ { "label": "Email", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1qzlszifPf08FM0h8", "mutable": false }, { "name": "methodType", "required": false, "value": "email", "mutable": false } ] } }, "relatesTo": { "type": "email", "key": "okta_email", "displayName": "Email", "methods": [ { "type": "email" } ] } }, { "label": "Google Authenticator", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1qzlszkmOMnG0d0h8", "mutable": false }, { "name": "methodType", "required": false, "value": "otp", "mutable": false } ] } }, "relatesTo": { "type": "app", "key": "google_otp", "displayName": "Google Authenticator", "methods": [ { "type": "otp" } ] } }, { "label": "Okta Verify", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1n8a5emohI0op90h8", "mutable": false }, { "name": "methodType", "type": "string", "required": false, "options": [ { "label": "Get a push notification", "value": "push" } ] } ] } }, "relatesTo": { "type": "app", "key": "okta_verify", "id": "aut1n8a5emohI0op90h8", "displayName": "Okta Verify", "methods": [ { "type": "push" } ], "allowedFor": "none" } }, { "label": "Phone", "value": { "form": { "value": [ { "name": "id", "required": true, "value": "aut1qzlsziv5mUEX50h8", "mutable": false }, { "name": "methodType", "type": "string", "required": false, "options": [ { "label": "SMS", "value": "sms" } ] } ] } }, "relatesTo": { "type": "phone", "key": "phone_number", "displayName": "Phone", "methods": [ { "type": "sms" } ] } } ] }, { "name": "stateHandle", "required": true, "value": "02.id.CT3...", "visible": false, "mutable": false } ], "accepts": "application/json; okta-version=1.0.0" } ] }, "authenticators": { "type": "array", "value": [ { "type": "email", "key": "okta_email", "id": "aut1qzlszifPf08FM0h8", "displayName": "Email", "methods": [ { "type": "email" } ], "allowedFor": "none" }, { "type": "app", "key": "google_otp", "id": "aut1qzlszkmOMnG0d0h8", "displayName": "Google Authenticator", "methods": [ { "type": "otp" } ], "allowedFor": "none" }, { "type": "app", "key": "okta_verify", "id": "aut1n8a5emohI0op90h8", "displayName": "Okta Verify", "methods": [ { "type": "push" } ], "allowedFor": "none" }, { "type": "phone", "key": "phone_number", "id": "aut1qzlsziv5mUEX50h8", "displayName": "Phone", "methods": [ { "type": "sms" } ], "allowedFor": "none" } ] }, "authenticatorEnrollments": { "type": "array", "value": [ { "type": "email", "key": "okta_email", "displayName": "Email", "methods": [ { "type": "email" } ] }, { "type": "app", "key": "google_otp", "displayName": "Google Authenticator", "methods": [ { "type": "otp" } ] }, { "type": "app", "key": "okta_verify", "displayName": "Okta Verify", "methods": [ { "type": "push" } ] }, { "type": "phone", "key": "phone_number", "displayName": "Phone", "methods": [ { "type": "sms" } ] } ] }, "user": { "type": "object", "value": { "identifier": "cstaber2" } }, "cancel": { "rel": [ "create-form" ], "name": "cancel", "href": https://signin-stg.churchofjesuschrist.org/idp/idx/cancel, "method": "POST", "produces": "application/ion+json; okta-version=1.0.0", "value": [ { "name": "stateHandle", "required": true, "value": "02.id.C...", "visible": false, "mutable": false } ], "accepts": "application/json; okta-version=1.0.0" }, "app": { "type": "object", "value": { "name": "oidc_client", "label": "Church Account", "id": "0oao7qp7qd1hZ1h5N0h7" } }, "authentication": { "type": "object", "value": { "protocol": "OAUTH2.0", "issuer": { "id": "ausmi1mmnznzwxVOR0h7", "name": "default", "uri": https://signin-stg.churchofjesuschrist.org/oauth2/default }, "request": { "max_age": -1, "scope": "openid profile offline_access cmisid", "response_type": "code", "redirect_uri": https://account-stage.churchofjesuschrist.org/api/auth/callback, "state": "GYAqw5HkSRGWY5MZD3YH7c7bs4P4zB8lbj9Y7anDWe9Rbl8GSy1jA6M6l4giNLiJ", "code_challenge_method": "S256", "nonce": "JWrjV5AEcbxpkx7Jjkc4yYLsVB99a1O1tzHSK20a0Fd0ZEE5Vncw1Q8jg6DN30Bd", "code_challenge": "SLKr7ki3M7MHZWCKSS9jEQHqUCgTtBqTtjPwQMEgAoM", "response_mode": "query" } } }, "headers": { "cache-control": "no-cache, no-store", "content-type": "application/json;okta-version=1.0.0", "expires": "0", "pragma": "no-cache" } }, "requestDidSucceed": true }

Reproduction Steps?

When the user enters username and wrong password the sign in flow using idx is initiated
The popup to verify the email using the code shows - expected
User verifies the email and a message saying wrong credentials are shown - expected

The user continues do to the exact same process for 5 more times and the account is locked (policy is set to 6) - expected
The Account Locked email is sent - expected
Okta doesn't add the select-authenticator-unlock-account in the response so we can't initiate the Unlock Account email - unexpected

If we do the exact same process using the Okta Widget then the select-authenticator-unlock-account is included and everything works fine
The only difference is that when using the Okta Widget the popup to verify the email isn't shown every time but only once on the first attempt

SDK Versions

7.11.0

Additional Information?

This is a legit bug and not something support can help with - They're just going to reach out to engineering.

[cgstaber]

I think we've shown that it's an issue in oktapreview tenants and not currently in okta prod tenants.

[jaredperreault-okta]

@cgstaber The change in behavior is due to a change that isn't schedule to be released to production until April. I've been told it will be fixed by then. If you experience this issue in production please reach out to support

[cgstaber]

The issue is fixed, but now, when a user tries to authenticate with a locked account and enters the correct password, the sdk acts as though they've entered the wrong password and gives no indication anywhere that the account is locked.

[cgstaber]

I also noticed today that when an account is locked, the sdk would return requestDidSucceed: true, but now it's returning requestDidSucceed: false