How can I exchange a sessionToken for an AccessToken in the backend for an application/client with PKCE

Application/Client Grant Type: Authorization_Code with PKCE

I am building an Integration Test Suite, where I need to obtain the access_token using only api calls(backend).
I am able to use the Proprietary OKTA Authentication API https://dev-215257.okta.com/api/v1/authn and subsequently the MFA verify api https://dev-215257.okta.com/api/v1/authn/factors/{{factorId}}/verify to obtain the sessionToken.

Next I am trying to exchange the sessionToken for AccessToken as per the doc https://developer.okta.com/docs/reference/api/oidc/#authorize
'https://dev-215257.okta.com/oauth2/default/v1/authorize?client_id=0oa3gtvqedqiKMp8k357&response_type=id_token%20token&scope=openid%20profile%20email&redirect_uri=http://localhost:8080/authorization-code/callback&state=testing&nonce=testing%20nonce&sessionToken=20111zbLpLymutMOp2T0OPohIyEuIw_ODj78qYRkGNGKLPDhE7Y6_xH
I am getting the response: Error: connect ECONNREFUSED 127.0.0.1:8080. (this is the callback url)

I am expecting an IDToken and AccessToken in the response.

Any help is appreciated.

What is the URL you are redirected to, it should include id_token requested as a part of URL

the redirect URL has the error Response:
http://localhost:8080/authorization-code/callback#state=testing&error=unsupported_response_type&error_description=The+response+type+is+not+supported+by+the+authorization+server.+Configured+response+types%3A+%5Bcode%5D

I believe as the grant_type configured is authorization_code , I have to use response_type=code…
And when I do that, then I get the following redirect URL:
https://dev-215257.okta.com/login/login.htm?fromURI=%2Foauth2%2Fv1%2Fauthorize%2Fredirect%3Fokta_key%3D3fmgcE5TCPgQJJ-AF7gDCeWtVIeXSZZ1wYXtJRi6dh8

Check this one https://developer.okta.com/docs/guides/session-cookie/overview/#retrieving-a-session-cookie-via-openid-connect-authorization-endpoint

try to provide prompt=none param while sending the initial request to /authorize

I tried that as well… here is what I get inspite of a valid sessionToken following successful authentication seconds ago…

http://localhost:8080/authorization-code/callback?state=testing&error=login_required&error_description=The+client+specified+not+to+prompt%2C+but+the+client+app+requires+re-authentication+or+MFA

are you sure the sign-on policy for this application doesn’t require re-authentication?

@phi1ipp yes you are correct it was configured Every Sign On,
I changed it to Once per Session. …still getting the same issue…does it take time to change…Thanks much…

I suggest you to remove the application sign-on policy and keep it as default one, which just allows access to the application. Test if it works this way.

You can always introduce MFA for the initial sign-on which you handle with auth-js

1 Like

@phi1ipp. thanks I removed the application sign-on policy falling back to the default policy. Now I get the code in the redirect location header.

Thanks Much.

Since My OKTA Org policy is configured for MFA enforced once per session. I am getting prompted for the MFA when I hit the {{url}}/api/v1/authn but I am able to call the TOTP verify endpoint to get passed the MFA and obtain the SessionToken prior to making the /authorize call.
In conclusion, Removing the custom sign-on policy for the application did the trick.
Mucho Gracias @phi1ipp