Implicit flow is not working


#1

I have a custom PHP-based web app, and I want users visiting the app to be authenticated by Okta, and for my app to receive something in return that it can verify to indicate that the user authenticated successfully. Using an implicit flow makes sense to me, and this page leads me to believe this is possible: https://developer.okta.com/standards/OIDC/#id-token.

When I submit to oauth2/v1/authorize or oauth2/default/v1/authorize with response_type=id_token and response_mode=form_post I receive error=unsupported_response_type.

How do I receive the id_token directly from the user when they are redirected back to my app after the successful authentication?

BTW, I know I could use an Authorization code flow, but this results in a call to the authorization server’s Token endpoint, which seems like undue overhead to me.


#2

Hi Greg,

While creating the OIDC application in your okta org, have your selected the implicit grant?
This is explained in the section “Add an OpenID Connect Client” in this page -
https://developer.okta.com/quickstart/#/widget/nodejs/generic

If you have selected “Web” instead of “SPA” in this step, implicit flow wouldn’t be supported.
If so, update the client in “General Settings” to select “Implicit” in allowed grant type.

Having said that, I’d ask you to reconsider using the Authorization code flow as it is more secure than an implicit flow.
Hope this helps.