Getting access token using session token from two different auth server

Questions OAuth/OIDC
1

There are two authentication server

  1. Organization server
  2. Custom server

My application requires access token from both server. Currently i’m trying to get access_token using session token. I am following the oauth2 approach to get the access_token using html iframe element by passing session_token.

Url for organization auth server.
https://$domain/oauth2/v1/authorize?client_id=xxxx&response_type=code&scope=openid offline_access&redirect_uri=$redirectUrl&state=xxxx&sessionToken=$token&code_challenge=xxx&code_challenge_method=S256&prompt=none&response_mode=query&nonce=xxxxxx

Url for custom auth server.
https://$domain/oauth2/$serverId/v1/authorize?client_id=xxxx&response_type=code&scope=openid offline_access&redirect_uri=$redirectUrl&state=xxxx&sessionToken=$token&code_challenge=xxx&code_challenge_method=S256&prompt=none&response_mode=query&nonce=xxxxxx

The first server will respond with proper access_token, but second auth server returns error response as

{
“error”: “invalid_request”,
“error_description”: “The grant was issued for another authorization server.”
}
2

Hello,

A sessionToken is a one-time token. Once it is used it can’t be reused.
After the first /authorize call your browser should set the Okta session in your browser and at that point you can make /authorize calls without a sessionToken to any authorization server in your Org.

Your error sounds like you might be making an /authorize call to one authorization server, and then using the returned code value to make the /token call to another authorization server.
This is not allowed.

Thank You,

2 Likes