Authorization code exchanging for tokens returns values for the previously signed-in user

Hello,

We have a pretty weird issue with access tokens.

Here is the scenario:

We use our own Authorization Service with it is own Sign-In page and this service communicates with Okta API. We implemented API-based user login flow based on documentation.

User A launches Web Application A and this application redirects user to our internal Authorization Service Sign-In form.

User A enters username and password and clicks “Sign-In” button.

Authorization Service back-end performs Primary Authentication request:
Request:
curl -v -X POST
-H “Accept: application/json”
-H “Content-Type: application/json”
-d ‘{
“username”: “userA@test.com”,
“password”: “1234567Aa!”
}’ “https://xxx.okta.com/api/v1/authn”

Response:
{
“expiresAt”:“2019-01-24T21:45:02.000Z”,
“status”:“SUCCESS”,
“sessionToken”:"<session_token>",
“_embedded”:{
“user”:{
“id”:“1234567890”,
“passwordChanged”:“2019-01-24T20:14:30.000Z”,
“profile”:{
“login":"userA@test.com”,
“firstName”:“Test”,
“lastName”:“User A”,
“locale”:“en”,
“timeZone”:“America/Los_Angeles”
}
}
}
}

Authorization Service back-end extracts Session Token value from the response and gets authorization code by session:

Request:
curl -v -X GET
-H “Accept: application/json”
“https://xxx.okta.com/oauth2/{authorizationServerId}/v1/authorize?client_id={clientId}&scope=openid offline_access&sessionToken={sessionToken}&response_type=code&state={state}&redirect_uri={redirectUri}”

Authorization Service back-end handles request redirect, extracts code parameter from the query string and redirects client application to the Web Application A with code in the query string parameter.

Web Application A exchanges the authorization code for tokens with our internal Authorization Service.

Authorization Service back-end exchanges the authorization code for tokens with Okta API:

Request:
curl -v -X POST
-H “Accept: application/json”
-H “Content-Type: application/x-www-form-urlencoded”
-H “Authorization: Basic MG9hY…”
-d ‘grant_type=authorization_code&redirect_uri={redirectUri}&code={code}’
“https://xxx.okta.com/oauth2/{authorizationServerId}/v1/token”

Response:
{
“access_token”:“eyJra…”,
“token_type”:“Bearer”,
“expires_in”:3600,
“scope”:“openid offline_access”,
“refresh_token”:“TJEV…”,
“id_token”:“eyJra…”
}

This works as expected, but…

If, a second later, User B performs the same action; we receive Access and Id tokens for User A, not User B. This is pretty strange and we cannot find an explanation in documentation which explains why it happens and/or how to fix it.

Could you please clarify why it happens and help us solve the problem? Maybe something is not configured correctly in our Okta account?

That is very strange, I agree. While I try to reproduce it on my side, a quick question: This sounds like a perfect case for the Resource Owner Password flow. Any reason why you aren’t using that? It would be a much simpler way of getting an access token in your Authorization Service backend.

We were thinking about it when found this problem. It will require a couple changes in our apps because our Authorization Service should redirect user to the destination application and should pass all tokens there, somehow (probably in headers) in this case but it does not look like a good approach for Single Sing-In forms, the idea of it that client application receives a short code with short lifetime scope that can be exchanged on tokens. But if there is no solution for the issue we found that can be fixed without changing logic on our side then we will try Resource Owner Password flow, I will double check it locally to be sure we will not get the same tokens set for different users.

Thank you for the update.

I think we found a workaround. It is kind a mix of Authorization Code Flow and Resource Owner Password Flow. Instead of acquiring and passing Authorization Code to the client we send Refresh Token and client can exchange Refresh Token on tokens

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.