/authorize keeps returning 200 instead of 302

I am building /authorize api manually for some reason the response started to come back is 200. a couple of times I got 302 response but all of the sudden the response started coming back as 200 with header.Location is null. my server localhost:5000 is up and running. any idea why?
using the following code

var handler = new HttpClientHandler()
{
AllowAutoRedirect = true
};
using (HttpClient client = new HttpClient(handler))
{
var queryParams = new Dictionary<string, string>()
{
{“client_id”, “0oar5j158zAyMnrIO0h7” },
{“state”, “evauth” },
{“redirect_uri”,“http://localhost:5000/signin-oidc” },
{“scope”, “openid groups profile email”},
{“nonce”, “alloha345”},
{“response_type”, “code”},
};

            string url = QueryHelpers.AddQueryString("https://{domain}.oktapreview.com/oauth2/auspx13uvj6eHSM9c0h7/v1/authorize", queryParams);
            HttpRequestMessage message = new HttpRequestMessage(HttpMethod.Get, url);

            var response = client.SendAsync(message);
            response.Wait();
            var res = response.Result;
        }

here is my application in OKTA


have you tried the same request in Postman?

Yes… 200 response

what is the body for this reply? is it okta login page?

Hi @jelbatnigi

If there is no Okta session or no sessionToken passed as a query parameter, then there is no user context and Okta will automatically display the log in page.

Hi dragos,
Yes that makes sense. If I do this through the browser i get the 302 response with the authorization code in the uri_direct query. which means the user context are passed in from the browser?

If I want to do this on the back channel, how can I pass in the user context without having the user login manually.

for example I have a restful service which someone will invoke say from the browser. I want to authenticate the user first using the /authorize call. How can I get the user context given that the user invoking the service is part of the AD group on OKTA and has access to the OKTA application.

Hi @jelbatnigi,

You will get a session token back from the /authn call.
https://developer.okta.com/docs/reference/api/authn/#request-example-for-primary-authentication-with-public-application

When you call the /authorize endpoint, pass this session token as a parameter which allows an API based user sign-in
https://developer.okta.com/docs/reference/api/oidc/#authorize

Hope this helps.

Hi Vijet,
Yes but I still need user credentials to request a sessiontoken right? I am trying to drive this flow from the original request. I want automatic sign in without providing login page with user and password.

here is the flow that I would like to implement:

  1. from the browser a user requests a url from the server http://localhost:5000/api/get
  2. I want to redirect to /authorize to authenticate the user
  3. get the code from header.location and call /token to get the access token store it somewhere (cookie).
  4. return 200 with results if authenticated or 401 if not from original request in step1.

The OpenIdConnect library in dotnet does the same thing. except the /authorize request returns a 200 and I have no clue how the redirect_uri gets the code and make a request to get the toke.

I want to implement this manually myself.