405 error when trying to a session cookie through the OpenID Connect authorization endpoint

ralph.mueller · January 25, 2023, 5:49pm

I am trying to get a session cookie as described here:

I can get the seesionToken from this endpoint https://dev-78000243.okta.com/api/v1/authn
with a post body like:

{
  "username": "xxxxx",
  "password": "xxxxxx",
  "options": {
    "multiOptionalFactorEnroll": false,
    "warnBeforePasswordExpired": false
  }  
}

But when trying to get the session cookie here:

https://dev-78000243.okta.com/oauth2/default/v1/authorize?redirect_uri=com.okta.dev-78000243:/callback&client_id=0oa7zwlcfdaYTTBpx5d7&response_type=id_token&prompt=none&state=faf1747c-6691-417a-baf2-ae334102d4e7_1674489767339&nonce=31cfd5ee-2f90-49a0-9de3-db7d920a108b_1674489767340&scope=openid&sessionToken=20111kiZ9s65M2RB-6gTN0Q-Ewa0-6Pz4h09bxCuJCR018a27nxr_5M

I always get a 405 with this body:

{
    "errorCode": "E0000022",
    "errorSummary": "The endpoint does not support the provided HTTP method",
    "errorLink": "E0000022",
    "errorId": "oae2DRl0GUmReSIblKbGCCu9Q",
    "errorCauses": []
}

sigama · January 25, 2023, 6:23pm

Hi @ralph.mueller! Perhaps there is a typo in your request - for the error method not allowed https://http.cat/405.

Things to double check:

you are making a GET request to the /authorize endpoint per - Work with Okta session cookies | Okta Developer
I see authorize is currently misspelled in your request
you have prompt=none twice in your request

ralph.mueller · January 25, 2023, 8:25pm

Thank you, but I checked all that and still get the same 405

sigama · January 26, 2023, 12:49am

Thanks for confirming. Please share how you are making the /authorize call e.g. cURL, Postman, browser? I will try to repro on my end. Are you able to make a regular /authorize request without prompt=none?

Note: You’ll need to be signed in to Okta first before you make a regular /authorize request through the browser for example.

sigama · January 26, 2023, 12:56am

Also in this example - Work with Okta session cookies | Okta Developer the redirect uri is encoded. You might wanna try that also.

https://${yourOktaDomain}/oauth2/v1/authorize?client_id=${clientId}&response_type=id_token&scope=openid&prompt=none&redirect_uri=https%3A%2F%2Fyour-app.example.com&state=Af0ifjslDkj&nonce=n-0S6_WzA2Mj&sessionToken=0HsohZYpJgMSHwmL9TQy7RRzuY

ralph.mueller · January 26, 2023, 3:26am

I am using postman, this is now the URL I am using, but I still, get the same error:

https://dev-78000243.okta.com/oauth2/v1/authorize?redirect_uri=com.okta.dev-78000243%3A%2Fcallback&client_id=0oa7zwlcfdaYTTBpx5d7&response_type=id_token&prompt=none&state=faf1747c-6691-417a-baf2-ae334102d4e7_1674489767339&nonce=31cfd5ee-2f90-49a0-9de3-db7d920a108b_1674489767340&sessionToken=201117OZYjgCA_eiisko0IUFqdNacNdyV3cCTni3wQEa8WdcgqLHcbW&scope=openid

I also removed ‘default’ serverid but it does not make any difference. When pasting this URL (without prompt=none) into chrome however the singing page will come up. But my login will not work on that page and I get “unable to sign in”

andrea · January 26, 2023, 6:23pm

Do you see any specific errors in the Network events/console when you try to login? Is the same user otherwise able to log into your org with the same credentials by navigating to the main org login page?

Another thing you might want to check is your Authentication/Session policy, in case there is a policy for the specific application in question that is related to this failure.

ralph.mueller · January 26, 2023, 8:29pm

I was able to get it to work in my app. I just cannot get it to work in postman.

sigama · January 26, 2023, 11:18pm

Bummer, are you using our Postman Collections by chance -Postman Collections | Okta Developer?