Hey there, I’m trying to do Native SSO with Token Exchange grant type flow. But when I’m doing this, I’m getting the error in token endpoint for 2nd App. Here are the steps, I’m performing:
NOTE:If I carry out the first two steps in the browser rather than Postman, this works just fine. When I didn’t clear any cookies at first, it initially worked fine in Postman as well. However, I ended in failure when I tried deleting the cookies. I started getting the following error:
{
"error": "invalid_grant",
"error_description": "The client's assurance requirements are not met."
}
By default assuming your Okta Org has not had a FF enabled if an /authorize call has both a sessionToken passed and a sessionCookie set in the browser (Postman) Okta will use the sessionCookie.
A couple of possible issues,
You tested with two different users. The first user had access to both app1 and app2 and it was that user that was being used for each test if there was an existing sessionCookie for them stored in the browser/Postman. Once the cookie was deleted in Postman then the /authorize call fell back to the sessionToken which now maybe tied to user2 who does not have access to app2.
Similar to the above the idToken being used does not match the user who did the /authorize call, or session if the new values were not updated each time.
I would need to test both scenarios to see which might potentially lead to this specific error. There could be other similar situations as well, potentially being caused by the sessionCookie value taking precedence over the sessionToken value in the /authorize call.
Let us know if checking either of the above resolves the issue. If not we can try to setup a repo.
Hi @erik , what do you mean by FF? Do you mean Feature Flag?
No, I have only tested it for a single user who is assigned to both applications.
I updated new values every time while I tested, the idToken matched. Only difference was it worked all good in postman, until I didn’t clear the cookies, As I indicated, if I make the first two calls in the browser and then try to make the remaining two calls from postman, everything works flawlessly.
Perhaps you’re logged in in the browser as a different user than the one you used in postman? E.g. logged in in the browser as your Okta admin account, not the test account?