Getting an accessToken from a sessionToken

We have a scenario in our app where a user exchanges username and password for an Okta sessionToken. Our separate API uses the accessToken to authenticate requests. Is there any way to exchange a sessionToken for an accessToken via an API request? I have tried /oauth2/:authorizationServerId/v1/authorize and /oauth2/:authorizationServerId/v1/token without any luck

Any additional information could help. What do you mean “without any luck?” Are you getting an error? Are you getting an authorization code but can’t exchange it through the tokens endpoint?

https://developer.okta.com/docs/api/resources/oauth2.html#obtain-an-authorization-grant-from-a-user

/authorize endpoint takes a sessionToken that you can pass.

Looking forward to getting some additional information here. :slight_smile:

Hi, I think I’m attempting the same thing, and also getting nowhere fast.

The goal is to get hold of parts of the profile where we’ve stashed application-specific role assignment. I can POST to {{url}}/api/v1/authn with creds in the body and get a session token which looks like it lasts 5 minutes. Then the idea is we use the session token to obtain an access token from which we can call the userinfo endpoint to retrieve profile information.

GET {{url}}/oauth2/v1/authorize?sessionToken={{sessionToken}}&client_id={{clientId}}&response_type=token&prompt=none&response_mode=fragment&scope=openid&redirect_uri={{redirectUri}}&state={{$guid}}&nonce={{$guid}}

BasicAuth has the clientID and secret. If I run it in Postman the API responds with Javascript, even though I’ve set Accept and Content-Type headers to be application/json. If I try curl, I get no response whatsoever.

Does Javascript mean a webpage in your question? I would remove the basic authorization header, that isn’t necessary.

Postman does some weird stuff and requires interceptor. It might be following the 302 redirect. You should not be using the authorize route from an XHR perspective, you should be redirecting the client to the authorize route.

When used successfully, the authorize route should 302 to back to your application with the access token in the URL fragment if the sessionToken is still valid.

https://developer.okta.com/authentication-guide/implementing-authentication/implicit

You also need to make sure your application is set up correctly.

Let me know any other questions!

Thanks for the pointers. If I asked curl to follow redirects it took me to my SPA testing out okta-auth-js on localhost. I thought it would be clearer to see what’s going on by taking the individual steps apart, but not when there are redirects.

It took a while to realise that “this is not the raw access token” really meant “store the token from token.getWithoutPopup in the tokenManager and get it from there when calling token.getUserInfo”. At least, that’s how I got it to work.