You may see the following error message in the Admin UI when OpenID Connect authentication is enabled on the TIBCO Spotfire Server with Okta as Identity Provider.

'Could not login, contact your administrator'

Below error message can be seen in server.log:

WARN 2019-11-08T16:42:12,951+0000 [unknown, #50, #9048] auth.oidc.OidcAuthenticator: OpenID Connect authentication failed
com.spotfire.server.security.auth.oidc.OidcException: No 'code' parameter given
    at com.spotfire.server.security.auth.oidc.OidcAuthenticator.authenticate(OidcAuthenticator.java:306) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.AuthenticationManager.doAuthenticate(AuthenticationManager.java:406) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.AuthenticationManager.authenticateNonAnonymously(AuthenticationManager.java:356) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.AuthenticationManager.authenticateFrontend(AuthenticationManager.java:221) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.AuthenticationManager.authenticate(AuthenticationManager.java:205) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$AuthenticationFilter.attemptAuthentication(SecurityFilter.java:444) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$AuthenticationFilter.doFilter(SecurityFilter.java:241) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:978) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1007) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$UserDataConstraintFilter.doFilter(SecurityFilter.java:852) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:978) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1007) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$ConnectorFilter.doFilter(SecurityFilter.java:812) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:978) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1007) ~[spotfire-server.jar:?]
    at com.spotfire.server.security.SecurityFilter.doFilter(SecurityFilter.java:159) ~[spotfire-server.jar:?]
    .......
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.17]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) ~[tomcat-coyote.jar:9.0.17]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:9.0.17]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834) ~[tomcat-coyote.jar:9.0.17]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415) ~[tomcat-coyote.jar:9.0.17]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.17]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_201]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_201]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.17]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_201]

The reason why it returned "No code parameter" is due to the prompt parameter value set in OpenID configuration. Setting prompt parameter with the value 'none' means that there is no active session from Identity Provider side (the End-User is not already Authenticated in Okta) to authenticate silently.

<auth-request-prompt-value>none</auth-request-prompt-value>

If you want to use the 'none' parameter then you should ensure to establish the session in Okta and then login with Spotfire. If not, you can change the parameter to 'login' so that the Spotfire Server attempts to Authenticate the End-User even if the End-User is already authenticated.

<auth-request-prompt-value>login</auth-request-prompt-value>

This article will help resolve the issue when an error "No 'code' parameter given" is seen in server.log

Doc: Advanced OpenID Connect Settings

• https://docs.tibco.com/pub/spotfire_server/10.3.5/doc/html/TIB_sfire_server_tsas_admin_help/GUID-19E06B0A-6D52-4568-A89A-14D7EC1DE65A.html