Hosted Login Page Redirection with ID and Access token

One of the major wish list (requirement) with us is to have a single login page for all our applications.
Actually we don’t want to create a login page for any our applications. Whenever user navigates to one of our application and if we find there is no active session; we would like to redirect that user to something like “company.okta.com/appid/”.

I was able to make some progress in one of the SPA App I have.

  1. In the “Login Initiated by” dropdown I selected “Either Okta or App”
  2. Then in the “Login Flow” I chose “Send ID Token directly to app (Okta simplified).

Good thing
All logins get redirected to the url https://company.oktapreview.com/home/oidc_client/0oajt35pfdGKfssfs7/aln5z7uhksdvge7bMy0g7

Bad thing
After a successful login on the URL above it redirects back to App Redirect URL by HTTP Post. But I was expecting an HTTP Get with ID Token & Access Token appended to in the URL like usual implicit flow. This does not seem to happen.
So we would like some help to figure how to get the Access token back.

I think for Login Flow. I should be choosing the “Redirect to app to initiate login (OIDC Compliant)” instead of “Send ID Token directly to app (Okta Simplified)”

Okta documentation says " * Redirecting to the app to start the login conforms to Section 4 of the OpenID Connectspecification. When the end-users click an Okta chiclet, they are redirected to the initiate_login_uri of the [client](javascript:void(0):wink: application, which constructs an authorization request and redirects the end-user back to Okta."

https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard.htm?Highlight=app%20integration

Once it is reaches my app I should construct the https://developer.okta.com/docs/api/resources/oidc#authorize .
Then redirect back to Okta. After authorization it will redirect back to my app. This is assumption; I will try this tomorrow.

Hi @naseem

The issue occurs because the OIDC application sends response_mode=form_post when redirecting to the /authorize endpoint. To resolve this use case, you can create a new bookmark application in Okta by going to Admin >> Applications >> Add Application and search for “Bookmark App”. This will create a chiclet that, when clicked, will redirect to a static link.

This static link would need to be the link to /authorize endpoint, passing client_id and response_mode=fragment, in order to send the JWT tokens as fragment parameters in the url, same as implicit flow does.

The bookmark application would need to be assigned to the same users that have access to the initial OIDC app and then hide the OIDC app from being displayed on the end user dashboard.

1 Like