Browserless Session Token => Authorization Code Exchange

Questions OAuth/OIDC
1

Hello, my team has a use case that requires end users to be able to log on without access to a web browser. We are using Okta as an external OpenID Provider and following this How-To document that involves exchanging a session token for an authorization code. Our application can execute the Authorization Code Flow to retrieve id/access/refresh tokens.

Here are the steps we are taking:

  1. The user completes Primary authentication using curl or some other CLI utility generating a sessionToken

  2. The user copies the sessionToken value from the Primary authentication response and forwards it to our client app.

  3. Our client app constructs an authorization URL with the proper parameters, including sessionToken. Here is an example:

https://{okta_domain}/oauth2/v1/authorize?response_type=code&response_mode=form_
post&client_id=0oa1b33v3p5Sa6mAt697&redirect_uri=https://localhost:6050/oauth2/v1/test/code_callback&state=eyJvY19yZXFfaWQiOiIyZTA3MzhlYi1mMjIxLTQyNWYtYWJjYi0wMDgyNmIxMGI0MzIiLCJvY19kYl9pZCI6ImQ5NjFlOTM5LTE5ZmUtNGNmOS1iYmZiLWUyMGIxY
WYwZjMwNCIsIm9jX2Zsb3ciOjJ9&scope=openid%20email%20profile%20groups&prompt=none&sessionToken={{sessionToken}}
  1. Client app sends GET request to the authorization URL. We expect Okta to use the sessionToken as a form of authentication and immediately redirect the client app back to itself with the authorization code. However, the following error is being returned to the client app:
{"request_id":"2e0738eb-f221-425f-abcb-00826b10b432","timestamp":"1655304888","database":"test","error_code":"GENERAL_ERROR","state":"eyJvY19yZXFfaWQiOiIyZTA3MzhlYi1mMjIxLTQyNWYtYWJjYi0wMDgyNmIxMGI0MzIiLCJvY19kYl9pZCI6ImQ5NjFlOTM5LTE5ZmUtNGNmOS1iYmZiLWUyMGIxYWYwZjMwNCIsIm9jX2Zsb3ciOjJ9","error_description":"the client specified not to prompt, but the user is not logged in."}

Is the sessionToken insufficient? Are there additional headers that Okta expects when receiving the authorization request? Any assistance on this is greatly appreciated!

FWIW, the client application is using a libcurl wrapper to execute the authorization request.

2

Responded in your other thread, closing this one: Can I exchange a Session Token retrieved via Primary Authentication for an Authorization Code - #2 by andrea