Authorization code flow- id_token added unnecessarily in request url

I am trying to implement authorization_code flow in my mvc application . In app settings I have selected Grant type- Authorization_code and client credentials … Request type - Code. still in request url request type is passed as Code&id_token internally … which lead to an [unsupported request type] exception.

app.UseOktaMvc(new OktaMvcOptions()
OktaDomain = ConfigurationManager.AppSettings[“okta:OktaDomain”],
ClientId = ConfigurationManager.AppSettings[“okta:ClientId”],
ClientSecret = ConfigurationManager.AppSettings[“okta:ClientSecret”],
AuthorizationServerId = ConfigurationManager.AppSettings[“okta:AuthorizationServerId”],
RedirectUri = ConfigurationManager.AppSettings[“okta:RedirectUri”],
PostLogoutRedirectUri = ConfigurationManager.AppSettings[“okta:PostLogoutRedirectUri”],
GetClaimsFromUserInfoEndpoint = true,
Scope = new List { “openid”, “profile” },


Please help

Hello @Anuradha,

Is your app webforms?
If not is it ASP.NET, or Core?

Can provide the version of the Okta SDK you are using.

Thank You,

1 Like

Okta.AspNet 1.1.4
Owin 1.0.0
Microsoft.Owin 4.0.0
Microsoft.Owin.Cors 3.0.0
Microsoft.Owin.Security.OpenIdConnect 4.0.0
Microsoft.Owin.Security.OAuth 4.0.0

My website is in MVC .
Target Framework - .Net 4.6

I updated Okta.AspNet to 1.8.0 …
receiving below error now…
Error : { IDX21323: RequireNonce is ‘True’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated. }
ErrorInfo : { at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateNonce(OpenIdConnectProtocolValidationContext validationContext) at

Nonce is null? Sounds like your app isn’t able to validate the nonce. Are you ensuring that the .NET app is the one triggering the /authorize request? Does it work if you disable nonce validation as mentioned in the error message?

Hey @andrea Thank you for replying… I made my localhost https and then error was removed.

1 Like