We have a scenario in our app where a user exchanges username and password for an Okta sessionToken. Our separate API uses the accessToken to authenticate requests. Is there any way to exchange a sessionToken for an accessToken via an API request? I have tried /oauth2/:authorizationServerId/v1/authorize and /oauth2/:authorizationServerId/v1/token without any luck
Any additional information could help. What do you mean “without any luck?” Are you getting an error? Are you getting an authorization code but can’t exchange it through the tokens endpoint?
https://developer.okta.com/docs/api/resources/oauth2.html#obtain-an-authorization-grant-from-a-user
/authorize endpoint takes a sessionToken that you can pass.
Looking forward to getting some additional information here. 
Hi, I think I’m attempting the same thing, and also getting nowhere fast.
The goal is to get hold of parts of the profile where we’ve stashed application-specific role assignment. I can POST to {{url}}/api/v1/authn with creds in the body and get a session token which looks like it lasts 5 minutes. Then the idea is we use the session token to obtain an access token from which we can call the userinfo endpoint to retrieve profile information.
GET {{url}}/oauth2/v1/authorize?sessionToken={{sessionToken}}&client_id={{clientId}}&response_type=token&prompt=none&response_mode=fragment&scope=openid&redirect_uri={{redirectUri}}&state={{$guid}}&nonce={{$guid}}
BasicAuth has the clientID and secret. If I run it in Postman the API responds with Javascript, even though I’ve set Accept and Content-Type headers to be application/json. If I try curl, I get no response whatsoever.
Does Javascript mean a webpage in your question? I would remove the basic authorization header, that isn’t necessary.
Postman does some weird stuff and requires interceptor. It might be following the 302 redirect. You should not be using the authorize route from an XHR perspective, you should be redirecting the client to the authorize route.
When used successfully, the authorize route should 302 to back to your application with the access token in the URL fragment if the sessionToken is still valid.
https://developer.okta.com/authentication-guide/implementing-authentication/implicit
You also need to make sure your application is set up correctly.
Let me know any other questions!
Thanks for the pointers. If I asked curl to follow redirects it took me to my SPA testing out okta-auth-js on localhost. I thought it would be clearer to see what’s going on by taking the individual steps apart, but not when there are redirects.
It took a while to realise that “this is not the raw access token” really meant “store the token from token.getWithoutPopup in the tokenManager and get it from there when calling token.getUserInfo”. At least, that’s how I got it to work.
Hi Tom,
We are looking for a solution to a similar issue we are seeing in our custom Angular App.
Here are the specifics :
- We have a Web Application portal into which users login(not using okta’s login page, just an SPA application login page).
- We have created an App Integration in Okta which is having Application Type as ‘PKCE’ flow (Client id : 0oa11vj7xc5CwbRVz0h8).
- We capture the user email and password from the front end and pass it to server side and are making an Okta API call to the Authentication API and receiving a SessionToken back.
- We need to Get a user specific access token in the server side code and pass it as a JWT token to another API/ Redirect user to another SAML App without getting prompted to login.
What we tried doing(using Postman):
Make a call to the /authorize endpoint, passing the session token(and other relevant parameters) We received both
{{url}}/oauth2/v1/authorize?client_id={{clientId}}&response_type=id_token token&response_mode=fragment&scope={{scopes}}&redirect_uri={{redirectUrl}}&state={{state}}&nonce={{$guid}}&sessionToken={{sessionToken}}&prompt=none
AccessToken : Checked validity using POST /oauth2/v1/introspect?client_id=<>. With parameters token= {Access Token} & token_type_hint=access_token. GOOD
ID Token : Checked validity using POST /oauth2/v1/introspect?client_id=<>. With parameters token= {ID Token} & token_type_hint=id_token. GOOD
Once we got valid Access Token & ID token we directed to the application protected URL(Custom app protected URL,SAML app endpoint),
using /login/sessionCookieRedirect with token={ID Token} & access_token={ Access Token} it redirects to the URL but again prompts for Login.
x-okta-request-id: YfgQNMwAlL5rrQjWyaVo3wAACXU
Since the user was already authenticated in the previous step using authentication API, we don’t want them to have to put in credentials again. We are doing anything wrong here or missed any step?