Browserless Session Token => Authorization Code Exchange

jwilliams · June 15, 2022, 3:22pm

Hello, my team has a use case that requires end users to be able to log on without access to a web browser. We are using Okta as an external OpenID Provider and following this How-To document that involves exchanging a session token for an authorization code. Our application can execute the Authorization Code Flow to retrieve id/access/refresh tokens.

Here are the steps we are taking:

The user completes Primary authentication using curl or some other CLI utility generating a sessionToken
The user copies the sessionToken value from the Primary authentication response and forwards it to our client app.
Our client app constructs an authorization URL with the proper parameters, including sessionToken. Here is an example:

https://{okta_domain}/oauth2/v1/authorize?response_type=code&response_mode=form_
post&client_id=0oa1b33v3p5Sa6mAt697&redirect_uri=https://localhost:6050/oauth2/v1/test/code_callback&state=eyJvY19yZXFfaWQiOiIyZTA3MzhlYi1mMjIxLTQyNWYtYWJjYi0wMDgyNmIxMGI0MzIiLCJvY19kYl9pZCI6ImQ5NjFlOTM5LTE5ZmUtNGNmOS1iYmZiLWUyMGIxY
WYwZjMwNCIsIm9jX2Zsb3ciOjJ9&scope=openid%20email%20profile%20groups&prompt=none&sessionToken={{sessionToken}}

Client app sends GET request to the authorization URL. We expect Okta to use the sessionToken as a form of authentication and immediately redirect the client app back to itself with the authorization code. However, the following error is being returned to the client app:

{"request_id":"2e0738eb-f221-425f-abcb-00826b10b432","timestamp":"1655304888","database":"test","error_code":"GENERAL_ERROR","state":"eyJvY19yZXFfaWQiOiIyZTA3MzhlYi1mMjIxLTQyNWYtYWJjYi0wMDgyNmIxMGI0MzIiLCJvY19kYl9pZCI6ImQ5NjFlOTM5LTE5ZmUtNGNmOS1iYmZiLWUyMGIxYWYwZjMwNCIsIm9jX2Zsb3ciOjJ9","error_description":"the client specified not to prompt, but the user is not logged in."}

Is the sessionToken insufficient? Are there additional headers that Okta expects when receiving the authorization request? Any assistance on this is greatly appreciated!

FWIW, the client application is using a libcurl wrapper to execute the authorization request.

andrea · June 17, 2022, 8:28pm

Responded in your other thread, closing this one: Can I exchange a Session Token retrieved via Primary Authentication for an Authorization Code - #2 by andrea

Post		Replies	Views
Can I exchange a Session Token retrieved via Primary Authentication for an Authorization Code OAuth/OIDC	2	2407	June 17, 2022
Can I exchange a Session Token retrieved via Primary Authentication for an Authorization Code OAuth/OIDC	3	3772	February 12, 2024
How can I exchange a session_token for an access_token in the backend OAuth/OIDC	10	9118	January 17, 2024
Authorization code exchanging for tokens returns values for the previously signed-in user Questions	4	5114	January 30, 2019
Troubles getting my accessToken in my java backend app OAuth/OIDC java	3	6084	January 12, 2024

Browserless Session Token => Authorization Code Exchange

Related topics