I am new to Okta and want to create an access token for a user. Currently I am trying to do that with postman. My current steps are:
Calling the api/v1/authn endpoint => I receive the sessionToken
Calling the oauth2/v1/authorize endpoint with: client_id, response_type = code, response_mode = query, scope = openid, redirect_uri, state = some value, nonce = a guid, sessionToken = the received sessionToken => I receive the code in the location header
Calling the oauth2/default/v1/token endpoint with grant_type = authorization_code, code = the code from second call, redirect_uri = same value as in 1. call and as authentication I use the clientId and secret (it is configured as web app in Okta menu). => The 3. Callc is everytime forbidden and I do not know why. Can somebody help me?
It looks like you’re having trouble with your request URLs.
For step 3, you must use the same issuer as used for your authorize request, just as you would for any other OAuth endpoints you are using (introspect, userinfo, revoke, etc). In step 2, you are using oauth2/v1/authorize, so in step 3, you should use oauth2/v1/token
As @andrea mentioned, the problem is with your request URLs.
But if you’re trying to get the access token to protect your own APIs (as opposed to Okta endpoint APIs), you should use the api/default/v1 URL.
Change your call to oauth2/v1/authorize in step 2 to oauth2/default/v1/authorize
Here default refers to the custom authorization server that you as an admin has control over. You can customize it according to your needs wrt scopes, claims, policies, clients that use this server etc.
oauth2/v1/authorize on the other hand calls the Okta org authorization server, which you don’t have control over. It’s an inbuilt server used to Okta which mints tokens to protect Okta endpoints.