Okta "E0000004 Authentication failed" in CI
Okta returned E0000004 "Authentication failed" from the /api/v1/authn primary authentication call because the username or password for the CI test user was wrong. Okta does not distinguish the two, by design.
What this error means
A login test against Okta returns 401 with "errorCode":"E0000004","errorSummary":"Authentication failed". The seeded test user credentials do not match the org.
Okta
HTTP/1.1 401 Unauthorized
{"errorCode":"E0000004","errorSummary":"Authentication failed","errorLink":"E0000004","errorId":"oae...","errorCauses":[]}Common causes
Wrong test user credentials
The username or password for the CI user is wrong or was never set to the value the test uses.
The user is not active in this org
A staged or deactivated user cannot complete primary authentication.
How to fix it
Seed and use a valid active user
- Provision an active test user with a known password in the CI org.
- Store the credentials as CI secrets.
- Send them to /api/v1/authn exactly as stored.
Terminal
curl -s -X POST "https://$OKTA_ORG.okta.com/api/v1/authn" \
-H "Content-Type: application/json" \
-d '{"username":"'$OKTA_USER'","password":"'$OKTA_PASS'"}'Confirm the user is active
Ensure the test user status is ACTIVE, not STAGED or SUSPENDED, before running login tests.
How to prevent it
- Provision active test users with known passwords for CI.
- Keep credentials in CI secrets, not in the test code.
- Assert user status is ACTIVE during setup.
Related guides
Cognito "NotAuthorizedException: Incorrect username or password" in CIFix Cognito "NotAuthorizedException: Incorrect username or password" in CI - the InitiateAuth call used wrong…
Keycloak "invalid_grant: Account is not fully set up" in CIFix Keycloak "invalid_grant: Account is not fully set up" in CI - the test user has a required action pending…
Auth0 "access_denied" from the token endpoint in CIFix Auth0 "error":"access_denied" in CI - the client authenticated but was not authorized for the requested A…