In the following work flow, the #4 says once signed in, Okta would return ‘Authorization code’ to my app. But in the claims (using the example app downloaded from Okta), it does not have it. Where can I find these definitions of ‘Authorization code’, ‘ID_token’ and ‘Access_Token’? Do you have a .Net or .Net Core example to illustrate step #5 below? What access_token can be used of? Thanks.
Our .NET SDK (or OWIN) will handle this part of the flow for you, making the authorize request, taking the authorization_code returned back to the redirect_uri and using it to get tokens. Your application only needs the authorization code to complete this exchange/transaction and after that the tokens will be used.
Once your application has these tokens, it will use them as part of the application session, to get information about the user from the /userinfo endpoint, and potentially send them as a bearer token to a resource server. See OAuth 2.0 and OpenID Connect Overview | Okta Developer
Thanks. Would you please double check my question? I am asking which one is ‘Authorization Code’. From the screen shot, claims returned from sign in, it does not have it. What is Access Token and ID Token?
What you’re seeing is after the one-time use authorization code has already been used, as per the Authorization Code flow: Implement authorization by grant type | Okta Developer
Your app is successfully completing this authentication flow and now the ID/Access tokens can be used to receive information about the user (claims in the ID token) and access a secured resource server (authorized via an access token).
I recommend reading through the concept documentation we have about OpenID Connect and OAuth in case you’re new to it: OAuth 2.0 and OpenID Connect Overview | Okta Developer
Great! Thanks. That is what I need to know - the access token received from sign in will be further used to retrieve user information from Okta!
I am following the instructions here to try to get user info. But it says 404 not found. Would you please let me know where I am wrong? If using https://dev-12907946.okta.com/oauth2/v1/userinfo as the url, then I got ‘Unauthorized’ . The instruction is very hard to follow? Which Url is the right one?
Thanks
https://developer.okta.com/docs/reference/api/oidc/#best-practices
It turns out that the url has to be /oauth2/default/v1/userinfo and the access token cannot be using base64. It works now. But another question is how to retrieve Customized Profile properties and group information? Userinfo does not return customized properties. Thanks.
/userinfo will only return the claims listed here, dependent on the scopes that were requested.
Any additional attributes you wish to receive back from this call will need to be added as custom claims on the custom authorization server you are using (in this case, the one called Default’)
You have that claim set to appear in an access token, but it sounds like you want it to instead appear in the userinfo response, so make sure you configure it to do so.
Example: 
Thanks. The example helps a lot. It is working now. Another question is how to get a user’s Group information? For example, user A is of Group1, Group2 and Group5, we like to get these group names. Do you have an example to do so? Thanks
There’s a lot of options for how to do this, so I’m going to point to our documentation on creating groups claims: Customize tokens returned from Okta with a Groups claim | Okta Developer. Make sure you follow the guides for how to make the claim for a Custom Authorization Server!
Below is a very basic example showing how to include Okta groups the user authenticating is a member of in a claim:
Thank you very much. Your example works very well. I am not able to retrieve both customized property and groups. I still have the following issues need to clean.
- Having Access Token, how to check with Okta if a user is still logged in or if a session is valid?
- How to refresh or update an Okta session to make it extended?
Do you have any example or documents for these issues?
Thanks
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.