I have an application that supports the Authorization Code flow of OpenID Connect. It also supports logins initiated from a third-party. This works well with Okta - but to get it to work I have to select that my app can use the Implicit (Hybrid) flow (which it cannot). Does anyone know why this is a requirement? Okta is obviously able to handle the pure Authorization Code flow also when initiating the login.
Are you talking about initiating login from the Okta homepage?
If your application is made is ASP.NET or ASP.NET Core, then most probably it uses hybrid flow, meaning that both authorization code and ID token are requested from Okta. This is by design on the language’s implementation of authorization code flow.
Yes. In the configuration of the app I’ve configured:
Login initiated by: Either Okta or App
Login flow: Rredirect to app to initiate login (OIDC Compliant)
Initiate login URI:
To be able to save this configuration however Okta forces me to also select “Implicit (Hybrid)” among the allowed grant types (besides “Authorization Code” which is the only one my app actually supports).
To me this seems like a bug in the configuration panel for the app - I can see no reason why Okta would need to use an implicit flow when performing Okta-initiated login (according to the OIDC spec). All Okta does in that case is call the configured login URI with the name of the issuer (after which the app initiates a login just like if the user had clicked a button in the app).
My app (which is written in Java) uses the Authorization Code flow.
I agree that there should be an option to have also authorization code flow as tile. I have moved this topic to Feature Requests section in order to make it visible to our engineering team and possibly have it implemented in the future.