I have a custom PHP-based web app, and I want users visiting the app to be authenticated by Okta, and for my app to receive something in return that it can verify to indicate that the user authenticated successfully. Using an implicit flow makes sense to me, and this page leads me to believe this is possible: https://developer.okta.com/standards/OIDC/#id-token.
When I submit to oauth2/v1/authorize or oauth2/default/v1/authorize with response_type=id_token and response_mode=form_post I receive error=unsupported_response_type.
How do I receive the id_token directly from the user when they are redirected back to my app after the successful authentication?
BTW, I know I could use an Authorization code flow, but this results in a call to the authorization server’s Token endpoint, which seems like undue overhead to me.