Okta-idx-java SDK and Authorization Code flow with PKCE


We have been using the okta-auth-java and okta-sdk-java SDKs to access the Okta API. Our requirement is to upgrade to use the latest SDKs. Now that we have upgraded our Okta Orgs to the new Okta Identity Engine. We first want to switch to use the okta-idx-java. But I do have another requirement to use Authorization Code flow with PKCE. My questions are:

  1. When I switch to okta-idx-java, is it still necessary to switch to use the Authorization Code flow with PKCE? I see the Interaction Code flow is using the PKCE code verifier & challenge.
  2. Can I implement the Authorization code flow with the okta-idx-java SDK? Any example implementation?


  • okta-idx-java SDK is specific to the Interaction code flow.
  • okta-auth-java is specific to authn
  • okta-sdk-java is for management calls and will be the same for classic/OIE

Okta doesn’t have a generic Java Authorization Code flow SDK. Typically customers needing this are running Spring applications and would use the okta-spring-boot SDK.

okta-idx-java (Interaction code flow) is not the same as authorization code flow, but does use PKCE the same way the authorization code flow can.

If you want to use the authorization code flow, but are not running Spring and want to use an SDK. I believe you could use the okta-idx-java SDK using an embedded auth model. In your Okta Org you would configure your own Okta Org as an external OIDC IdP to itself. Then create a routing rule for this application to use that IdP. This way when an interaction code flow starts the step would be to redirect the user to the IdP which Okta redirects to itself, do authentication, redirect back to the app, the SDK would then retrieve tokens. I haven’t tested it and would usually recommended it. In theory it should work and would produce an authorization code “like” flow.

Thank You,

Thanks, erik, for your explanation and recommendation!

As you recommended, I’m using embedded authentication model and configured my app as an external IdP. With that, I can use the okta-idx-java to get the id_token and access_token. I have a question on the redirect_uri. It is a required argument to the okta-idx-java SDK. But how the redirect_uri is used in the Interaction Code flow?

Looks like I can not use the Interaction Code grant type for our scenario because we need to share the authenticated session with other applications. :frowning_face:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.