How to configure Jmeter callback "CODE" paramter

We have recently switched to using Okta for our SSO. I am trying to update a jmeter script to use Okta to sign into our application. We are using the existing ASP.NET okta module to handle the pipline processing.

When I record a login session I see after the call to authn some json (state_Token) is returned with a status of succeeded.

Then there is a post to my call back url:
with two values, STATE and CODE.

I know STATE is a random value I generate early in the code flow and provide in several calls.
But I am unsure about CODE. I found the following in the documentation:

code: An opaque value that can be used to redeem tokens from the token endpoint. code is returned if the response_type includes code . The code has a lifetime of 300 seconds.

The previous call to authn has a responseType of “code” but I do not see a code value in the state_token returned but somehow the redirect to my call-back URI suddenly has it as a post value.

Right now I am just passing the CODE value that was originally recorded but should be expired and I get a 404 error about the resource (/authorization-code/callback) not existing. I’m not sure if that is due to the CODE value being old or if there is something else wrong with this post back to my server.

If anyone has any insight into this I would be extremely thankful.

Just to be clear, manually logging in works just fine. It is just when I am attempting to do so with jmeter which I just started to use a few weeks ago that I am seeing this issue.

I just went back to look around and immediately saw the CODE value is initially provided as a hidden field in a bit of html sent between the authn call and the post to my call back.

I want to post this update quickly so no one wastes time answering this. I still need to testing and see if providing the current value works or if I still get the 404.

I am now extracting the CODE value correctly but still getting the 404 error when making the callback. Does anyone know what the secret sauce is to get the okta module to grab this request? A coworker noted that when they put the call back url into the browser they also get this 404. I will closer at the headers, maybe something in there is special.

I’m going to close this post and open a new one specific to my my current issue.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.