product icon

How do I change my Okta federated integration from Implicit flow to Authorization Code flow with PKCE?

    As an Okta user, a new authorization flow between LastPass and Okta is available. Okta now supports the Authorization Code flow with a Proof Key for Code Exchange (PKCE), which is currently the most secure method for controlling access between two parties. LastPass has already implemented this security update, but as an Admin, you need to adjust several items in the Okta admin portal, and through the LastPass federation configuration page in the new Admin Console, for the update to take full effect.

    Step #1: Configure additional sign-in redirect URIs for your LastPass single-page application in Okta

    Before you begin: Log in to your Okta Admin portal with your administrator account credentials.
    1. In the Okta portal, under Applications in the left navigation, select Applications.
    2. Find your LastPass Okta Login single-page application. Click the entry of the application.
    3. On the General tab, in the General Settings section, click Edit.
    4. Under LOGIN > Sign-in redirect URIs, add the following new redirect URIs:
      • lastpass-desktop-client://windows
      • lastpass-browser-extension://ie
      • lastpass-mobile-client://android
      • lastpass-mobile-client://ios
      • moz-extension://*
      • chrome-extension://hdokiejnpimakedhajhdlcegeplioahd
      • chrome-extension://bbcinlkgjjkejfdpemiealijmmooekmp
      • chrome-extension://hnjalnkldgigidggphhmacmimbdlafdo
    5. Click Save when finished.
      Sign-in redirect URIs

    Step #2: Change grant type from Implicit to Authorization Code for your LastPass single-page application in Okta

    Before you begin: Log in to your Okta Admin portal with your administrator account credentials.
    1. In the Okta portal, under Applications in the left navigation, select Applications.
    2. Find your LastPass Okta Login single-page application. Click the entry of the application.
    3. On the General tab, in the General Settings section, click Edit.
    4. Under APPLICATION > Grant type > Client acting on behalf of a user:
      1. Unselect the Implicit (hybrid) checkbox.
      2. Select the Authorization Code checkbox.
    5. Click Save when finished.
      Grant type

    Step #3: Change grant type from Implicit to Authorization Code in your LastPass authorization server's access policy in Okta

    About this task:
    Attention: This step is relevant only for those who have an authorization server set up for their integration.

    Skip this step if either of the following applies:

    • You are using Okta SCIM as the Identity Provider and directory provider without an authorization server (standard configuration, without authorization server)
    • You are using Okta SSO as the Identity Provider and Active Directory as the directory provider (hybrid configuration)
    Before you begin: Log in to your Okta Admin portal with your administrator account credentials.
    1. In the Okta portal, under Security in the left navigation, select API.
    2. On the Authorization Servers tab, find the entry of the LastPass authorization server. Click the entry of the server to open it.
    3. Go to the Access Policies tab. You should see a rule displayed.
      Authorization Server access policy rule
    4. Click the Edit rule icon Edit rule. The Edit Rule window pops up.
    5. Under Grant type > Client acting on behalf of a user:
      1. Unselect the Implicit (hybrid) checkbox.
      2. Select the Authorization Code checkbox.
      Access policy rule
    6. Click Update Rule.

    Step #4: Enable the PKCE flow for your Okta integration in LastPass

    1. Go to LastPass and the new Admin Console .
    2. Click Users > Federated login.
    3. Go to the Okta tab.
    4. Check the box for Enable PKCE flow.
    5. Click Save changes.
      Enable PKCE flow