Getting access token using session token from two different auth server

There are two authentication server

  1. Organization server
  2. Custom server

My application requires access token from both server. Currently i’m trying to get access_token using session token. I am following the oauth2 approach to get the access_token using html iframe element by passing session_token.

Url for organization auth server.
https://$domain/oauth2/v1/authorize?client_id=xxxx&response_type=code&scope=openid offline_access&redirect_uri=$redirectUrl&state=xxxx&sessionToken=$token&code_challenge=xxx&code_challenge_method=S256&prompt=none&response_mode=query&nonce=xxxxxx

Url for custom auth server.
https://$domain/oauth2/$serverId/v1/authorize?client_id=xxxx&response_type=code&scope=openid offline_access&redirect_uri=$redirectUrl&state=xxxx&sessionToken=$token&code_challenge=xxx&code_challenge_method=S256&prompt=none&response_mode=query&nonce=xxxxxx

The first server will respond with proper access_token, but second auth server returns error response as

{
“error”: “invalid_request”,
“error_description”: “The grant was issued for another authorization server.”
}

Hello,

A sessionToken is a one-time token. Once it is used it can’t be reused.
After the first /authorize call your browser should set the Okta session in your browser and at that point you can make /authorize calls without a sessionToken to any authorization server in your Org.

Your error sounds like you might be making an /authorize call to one authorization server, and then using the returned code value to make the /token call to another authorization server.
This is not allowed.

Thank You,

2 Likes