Hello, I am using a full custom SPA with no Okta redirects or Okta hosted pages, everything is manged by us.
I ended up with a session_token that I have to exchange to get a proper access_token. The only endpoint I have found so far is the “/v1/authorize” endpoint but that relays on a http redirect, is there a way to exchange a session token to an access token just getting it from the response?
Thanks
I can’t use that, because in the registration flow, I have to call the setPassword endpoint and the only thing I get back is the sessionToken.
Are you saying that I should do nothing with the sessionToken that I get back from the setPassword endpoint and do basically a signin with the user’s username and password?
But the /authorize endpoint does have a session token parameter:
sessionToken Okta one-time session token. This allows an API-based user sign-in flow (rather than the Okta sign-in UI). Session tokens can be obtained via the Authentication API. Query String FALSE
The authorize endpoint was the one I was trying to use for the token exchange, but it seems it does not support an api call and returns a http redirect as a response
Did you try response_type of token?
response_type |
Any combination of code, token, and id_token. The combination determines the flow. |
Query |
String |
TRUE |
response_mode |
How the authorization response should be returned. Valid values: fragment, form_post, query or okta_post_message. If id_token or token is specified as the response type, then query isn’t allowed as a response mode. Defaults to fragment in implicit and hybrid flows. |
Query |
String |
FALSE |
Hi @Govner I am trying this with both postman and curl and I am getting html back
curl -v https://{domain}.oktapreview.com/oauth2/default/v1/authorize?client_id={clientId}&nonce=test&redirect_uri=http://localhost:3000/login&response_type=token&scope=openid&sessionToken={sessiontoken}&state=test
I am getting a horrible html with this error: error.description: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.");
I have configure in Login redirect URIs this url http://localhost:3000/login
and in Initiate login URI the same one http://localhost:3000/login
I also tried the /token endpoint with password grant and it seems I can’t use it, it is no configured in my App and there is no tick to enable it.
Thanks
I think I will use the resource owner flow, I won’t care about the session token returned by the setPassword endpoint but I will proceed to signin user with the /oauth2/default/v1/token endpoint
The only problem I have now is that I can’t se grant_type password for a reason, I can’t see any configuration for this.
Update:
It seems that only if you configured you app as native you can see the resource owner option.
Hi @esolanas
If you want to activate resource owner password flow for an OIDC application that is not of type native, please do the following:
- a GET request to /api/v1/apps/${appId} (eg. /api/v1/apps/0oa2fatx70JGiU2TA2p7)
- retrieve the JSON body and modify settings.oauthClient.grant_types to include “password” in the array of elements
- with the new body, do a PUT request to /api/v1/apps/${appId}
The UI will not display the resource owner password flow selection, however the application will support the flow.
@dragos thanks I ended up changing the type to native because it made more sense to be honest
Why there is that hacky way to set password grant via apis but not using the UI ? Feels inconsistent in my opinion, is either you can do it or not