I am using AWS AppSync with Okta OpenID Connect for authorization.
I configured OTP MFA for most users, and Secret Answer for a special CI user.
When a human user logs in through the browser everything works fine, and the token AppSync verifies against Okta is valid.
For the CI user I automated authenticating the user using username/password credentials, then verifying the secret answer using the state_token, to get a sessionToken, and finally get the id_token using the sessionToken.
To get the id_token I send a GET request to
{{baseUrl}}/oauth2/v1/authorize?client_id={{CLIENT_ID}}&sessionToken={{sessionToken}}&nonce=123456&response_type=id_token&scope=openid%20profile&state=test&redirect_uri={{redirectUri}}
The token returns from Okta when I specify the sessionToken fails verification by the Okta OIDC endpoint.
I compared the requests in the SystemLog
When a regular user generates the id_token the SystemLog event type is “OAuth2 authorization implicit ID token request”
However when the CI code generates the id_token the SystemLog event type is “OIDC authorization implicit ID token request”
This is unexpected. The only thing different for the CI process is adding the “systemToken” parameter to the “/authorize” URL.
Is there a problem using the “sessionToken”? Why does the token it generates fail the OIDC verification?