How to get OpenID Connect auth code and refresh token

Questions OAuth/OIDC
1

I need an auth code and refresh token. I’m using the sign in widget:

var oktaSignIn = new OktaSignIn({
	baseUrl: orgUrl,
	clientId: 'XXXXXXXXX',
	redirectUri: redirectUrl,
	authParams: {
		responseType: 'code',
		responseMode: 'query',
		scope: [
			'openid',
			'email',
			'profile',
			'groups'
		]
	}
});

oktaSignIn.renderEl(
  { el: '#okta-login-container' },
  function (res) {
    if (res.status === 'SUCCESS') {
        
    	console.log('res<%o>', res);
    }
  }

The okta auth server setup on Admin Applications/General:

Application Type: Web
Allowed grant Types: Authorization Code, Refresh Token
Redirect URIs: http://localhost:8080/authlogin

The response I get after signing in through the widget:
“The authorization server does not support the requested response mode.”

Am I missing some setup in okta admin for this?

2

Your application in Okta needs to be configured to allow the refresh_token grant type:
https://developer.okta.com/docs/api/resources/oauth2.html#refresh-tokens-for-web-and-native-applications

Then, you should request for the following scope: ‘offline_access’

I can’t reproduce the error you are getting though. So, let me know if that helps if you are still getting the error, what version of the widget are you using?

3

Thanks for your help. The app is configured in okta to allow grant type refresh token. This is the request the widget builds:

https://xxxx.okta.com/oauth2/v1/authorize?client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauthlogin&response_type=code&response_mode=okta_post_message&state=xxx&nonce=xxx&prompt=none&sessionToken=xxx&scope=openid%20email%20profile%20groups%20offline_access

I configured the widget for response_mode: query but the request the widget builds has the param set to response_mode=okta_post_message. If I submit that request with response_mode=query I get an auth code but no refresh token. I’ve added offline_access to the scopes, but still no refresh token returns. Is there api to exchange the auth code for a refresh token?

these are the widget files I’m using:
https://ok1static.oktacdn.com/assets/js/sdk/okta-auth-js/1.5.0/OktaAuth.min.js
https://ok1static.oktacdn.com/assets/js/sdk/okta-signin-widget/1.7.0/js/okta-sign-in.min.js
https://ok1static.oktacdn.com/assets/js/sdk/okta-signin-widget/1.7.0/css/okta-sign-in.min.css
https://ok1static.oktacdn.com/assets/js/sdk/okta-signin-widget/1.7.0/css/okta-theme.css

thanks,
Rachel

4

I think this is a defect with that version of the widget.

Can you move the version of the widget assets to 1.11.0 and see if that fixes the issue for you?

5

That helps, it builds the request with response_mode=query, now. However the response is a code and state. How can I use these to get a refresh token? The sign-in widget doc says I can exchange the code for a refresh token but I can’t find the api to use for that.

thank you!
Rachel

6

Ok, I’ve got a refresh token!

I used the auth code and grant_type authorization_code in the post below. The offline_access scope is configured on the auth server on okta admin. I got all the goodies back that I need:

curl -X POST
https://xxx.okta.com/oauth2/v1/token
-H ‘accept: application/json’
-H 'authorization: Basic xxx’
-H ‘cache-control: no-cache’
-H ‘content-type: application/x-www-form-urlencoded’
-d 'grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauthlogin&code=xxx’
}

Rachel

7

Awesome! Glad you got that working, I’ve logged issues to make sure Okta updates the widget examples to use the newest version.

8

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.