How can I exchange a session_token for an access_token in the backend

Hello, I am using a full custom SPA with no Okta redirects or Okta hosted pages, everything is manged by us.

I ended up with a session_token that I have to exchange to get a proper access_token. The only endpoint I have found so far is the “/v1/authorize” endpoint but that relays on a http redirect, is there a way to exchange a session token to an access token just getting it from the response?


Use client credentials flow:

I can’t use that, because in the registration flow, I have to call the setPassword endpoint and the only thing I get back is the sessionToken.

Are you saying that I should do nothing with the sessionToken that I get back from the setPassword endpoint and do basically a signin with the user’s username and password?

But the /authorize endpoint does have a session token parameter:

sessionToken Okta one-time session token. This allows an API-based user sign-in flow (rather than the Okta sign-in UI). Session tokens can be obtained via the Authentication API. Query String FALSE

The authorize endpoint was the one I was trying to use for the token exchange, but it seems it does not support an api call and returns a http redirect as a response

Did you try response_type of token?

response_type Any combination of code, token, and id_token. The combination determines the flow. Query String TRUE
response_mode How the authorization response should be returned. Valid values: fragment, form_post, query or okta_post_message. If id_token or token is specified as the response type, then query isn’t allowed as a response mode. Defaults to fragment in implicit and hybrid flows. Query String FALSE

Hi @Govner I am trying this with both postman and curl and I am getting html back

curl -v https://{domain}{clientId}&nonce=test&redirect_uri=http://localhost:3000/login&response_type=token&scope=openid&sessionToken={sessiontoken}&state=test

I am getting a horrible html with this error: error.description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.");

I have configure in Login redirect URIs this url http://localhost:3000/login
and in Initiate login URI the same one http://localhost:3000/login

I also tried the /token endpoint with password grant and it seems I can’t use it, it is no configured in my App and there is no tick to enable it.


I think I will use the resource owner flow, I won’t care about the session token returned by the setPassword endpoint but I will proceed to signin user with the /oauth2/default/v1/token endpoint

The only problem I have now is that I can’t se grant_type password for a reason, I can’t see any configuration for this.


It seems that only if you configured you app as native you can see the resource owner option.

Hi @esolanas

If you want to activate resource owner password flow for an OIDC application that is not of type native, please do the following:

  • a GET request to /api/v1/apps/${appId} (eg. /api/v1/apps/0oa2fatx70JGiU2TA2p7)
  • retrieve the JSON body and modify settings.oauthClient.grant_types to include “password” in the array of elements
  • with the new body, do a PUT request to /api/v1/apps/${appId}

The UI will not display the resource owner password flow selection, however the application will support the flow.

@dragos thanks I ended up changing the type to native because it made more sense to be honest

Why there is that hacky way to set password grant via apis but not using the UI ? Feels inconsistent in my opinion, is either you can do it or not