OKTA Redirect Error using OIDC Provisioner

How to resolve "Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings"

If you're generating certificates using an OKTA OIDC Provisioner in Smallstep, you might get the following error from OKTA on the browser side after you run the Step command.

`Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings`

In this case, OKTA expects a listener port in the Smallstep OIDC application's `Sign-in redirect URI`. A common URI would be `127.0.0.1:10000`.

Here are two options to resolve this (assuming your redirect port is `10000`):

  • Dashboard - In the Dashboard for your OIDC Provisioner, edit and go to Advanced Settings. Set the `Listen Address (optional)` setting to a colon and port that is configured in OKTA. 
  • Step CLI (Command Line) - Add `STEP_LISTEN=:10000` in front of your `step ca certificate` command (if 10000 is the port you specified in your OKTA Smallstep OIDC settings).
    • Example:
      `STEP_LISTEN=:10000 step ca certificate myservice --san myservice.internal.mycompany.net myservice.crt myservice.key --not-after 24h`