Okta PKCE Integration testing OAuth Token


I am trying to incorporate Integration testing for my use case. My SPA implements Okta token authentication using SDK and redirect_url.
While integrating testing I tried to get auth_token and verify user using API Calls.
Below is the code I am trying with steps:

  1. Get session token using username and password by calling “{DOMAIN}/api/v1/authn”

  2. Get access token using session token from Step 1 by calling “{DOMAIN}/oauth2/default/v1/authorize?sessionToken={sessionToken}&client_id={clientID}&code_challenge={random Number}&code_challenge_method=S256&nonce={random_number}&redirect_uri=http://localhost:8080/redirect&response_type=token&state={random}&scope=openid%20profile%20email&prompt=none”

  3. I get access_token in url as #access_token={token}

  4. I extract the token

  5. I verify the user using API call “{DOMAIN}/oauth2/default/v1/introspect?token=$token&token_type_hint=access_token&client_id=$client_id”

  6. Unfortunately, I always get response as { “active” : false }

Can someone help me, I will really appreciate this.


I don’t see anything wrong with the way you’re doing this. As long as you are sending the raw JWT access token back to the same authorization server that issued it (via the /introspect endpoint), then this call should work.

That was the key… The servers were different. Thank you so much

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.