I'm not getting a code on the redirect url using Authorization Code Flow

I’m coding in Java. I’ve hit the /v1/authn endpoint and I’m getting a sessionToken.
I then create a request for authorize as follows:

Request request = new Request.Builder()
+ “client_id=”+clientId
+ “&nonce=”+uniqueID
+ “&redirect_uri=https://myUrl.com/myPath/authorization-callback”
+ “&response_type=code”
+ “&response_mode=query”
+ “&scope=offline_access api:read api:write”
+ “&sessionToken=”+sessionToken
+ “&state=”+state

When I execute the request and inspect the response, the URL is https://myUrl.com/myPath

I was expecting to see https://myUrl.com/myPath/authorization-callback?code=someCodeHere

Any suggestions?

Hi @punisher660,

Implicit flow doesn’t return an authorization code. For that, you’ll need to use the “Authorization Code flow”.
In implicit flow, you’ll directly get the token in the URL.
Since you’re using java, you should be using Authorization Code flow, which means you have to create a “Web App” in the Okta Applications page that has a client ID and client secret.
Refer to this for more info - https://developer.okta.com/docs/concepts/auth-overview/#choosing-an-oauth-2-0-flow

Hope this helps.

Now I feel silly - I used the wrong term in the title (newb mistake). The organization WAS using implicit flow, and it has been changed to Authorization Code Flow. The rest of the post/issue I’m experiencing is correct though…I get a sessionToken from the authn endpoint, pass that in the request that I’m building (shown in the message) which is passed to the authorize endpoint and I am not getting the code back in the response. We do have a web app with a client ID and client secret. Sorry for the confusion.

Thanks for the clarification, @punisher660.
I’m not sure what could be causing the issue here, but you try using the oidc debugger playground as explained here - Get an access token manually for testing

That won’t fix your issue but will give you confidence in your configuration.

Also, I have a feeling that your issue could be related to following redirects. Is the response code you receive a 200 instead of 302? In that case, check if there’s a config to set “follow redirects” to true, while building your client.

That was it - set redirects to false and the code was in the header. Thanks!

1 Like

Glad that you solved it. :slight_smile:
Sorry for the incorrect advice of setting it to true though.
Now let me go back and edit my post to seem that I was correct all along. :smile:

1 Like