How to get OpenID Connect auth code and refresh token

I need an auth code and refresh token. I’m using the sign in widget:

var oktaSignIn = new OktaSignIn({
	baseUrl: orgUrl,
	clientId: 'XXXXXXXXX',
	redirectUri: redirectUrl,
	authParams: {
		responseType: 'code',
		responseMode: 'query',
		scope: [
			'openid',
			'email',
			'profile',
			'groups'
		]
	}
});

oktaSignIn.renderEl(
  { el: '#okta-login-container' },
  function (res) {
    if (res.status === 'SUCCESS') {
        
    	console.log('res<%o>', res);
    }
  }

The okta auth server setup on Admin Applications/General:

Application Type: Web
Allowed grant Types: Authorization Code, Refresh Token
Redirect URIs: http://localhost:8080/authlogin

The response I get after signing in through the widget:
“The authorization server does not support the requested response mode.”

Am I missing some setup in okta admin for this?

Your application in Okta needs to be configured to allow the refresh_token grant type:
https://developer.okta.com/docs/api/resources/oauth2.html#refresh-tokens-for-web-and-native-applications

Then, you should request for the following scope: ‘offline_access’

I can’t reproduce the error you are getting though. So, let me know if that helps if you are still getting the error, what version of the widget are you using?

Thanks for your help. The app is configured in okta to allow grant type refresh token. This is the request the widget builds:

https://xxxx.okta.com/oauth2/v1/authorize?client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauthlogin&response_type=code&response_mode=okta_post_message&state=xxx&nonce=xxx&prompt=none&sessionToken=xxx&scope=openid%20email%20profile%20groups%20offline_access

I configured the widget for response_mode: query but the request the widget builds has the param set to response_mode=okta_post_message. If I submit that request with response_mode=query I get an auth code but no refresh token. I’ve added offline_access to the scopes, but still no refresh token returns. Is there api to exchange the auth code for a refresh token?

these are the widget files I’m using:
https://ok1static.oktacdn.com/assets/js/sdk/okta-auth-js/1.5.0/OktaAuth.min.js
https://ok1static.oktacdn.com/assets/js/sdk/okta-signin-widget/1.7.0/js/okta-sign-in.min.js
https://ok1static.oktacdn.com/assets/js/sdk/okta-signin-widget/1.7.0/css/okta-sign-in.min.css
https://ok1static.oktacdn.com/assets/js/sdk/okta-signin-widget/1.7.0/css/okta-theme.css

thanks,
Rachel

I think this is a defect with that version of the widget.

Can you move the version of the widget assets to 1.11.0 and see if that fixes the issue for you?

That helps, it builds the request with response_mode=query, now. However the response is a code and state. How can I use these to get a refresh token? The sign-in widget doc says I can exchange the code for a refresh token but I can’t find the api to use for that.

thank you!
Rachel

Ok, I’ve got a refresh token!

I used the auth code and grant_type authorization_code in the post below. The offline_access scope is configured on the auth server on okta admin. I got all the goodies back that I need:

curl -X POST
https://xxx.okta.com/oauth2/v1/token
-H ‘accept: application/json’
-H 'authorization: Basic xxx’
-H ‘cache-control: no-cache’
-H ‘content-type: application/x-www-form-urlencoded’
-d 'grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauthlogin&code=xxx’
}

Rachel

Awesome! Glad you got that working, I’ve logged issues to make sure Okta updates the widget examples to use the newest version.