PKCE flow Authorize then Token

I am implementing the PKCE flow, first calling the Authorize endpoint and then planning to call the Token endpoint.

My call to Authorize is the following:

https://myoktapreview.com/authorize?client_id=xxxxxxxxxxxxx&response_type=code&response_mode=query&scope=openid&redirect_uri=https://abc.com/login&state=1234567890&nonce=laf9032iolkadfoaf2&code_challenge=aaKtb7bbnX4jpCCiaxsKmy5Cznyvd3zOFh5REsEPGLA&code_challenge_method=S256

In the response from this call I see “okta_key”. For the call to Token endpoint I need to provide a “code” parameter - is okta_key the same as this code parameter? If not, where do I get this “code”?

Thanks!

My Authorize call is working but does anyone know if “okta_key” is the same as “code”? Thanks!

The okta_key is used by the Okta login page to track the original request so that the user can get redirected correctly after they login. The authorization code will be returned to your application once the user fully logs into Okta.

If you complete the login process for a user, are they redirected to your redirect_uri next, with the ‘code’ passed along as a URL fragment or query parameter?

1 Like

Thanks Andrea, so I’m clear now that okta_key is not what I need. I am authenticating the user first via credentials, from that call I get back sessionToken. So when I now call Authorize I pass that sessionToken and the call is successful.

Now I’m just not clear what needs to be passed to the Token endpoint. Is there something I get back from Authorize that in turn gets passed to Token?

Thanks again!

Here’s what I’m sending as my Token request:

https://myoktaurl.com/oauth2/v1/token?&code_verifier=-1503865776&grant_type=authorization_code&redirect_uri=https://localhost:44385/Login&client_id=myclientid

This returns this error:
“errorCode”: “invalid_client”,
“errorSummary”: “Invalid value for ‘client_id’ parameter.”,

I have of course double-checked that the client_id I am passing matches my client id and okta, and my client is active.

And the Client ID you are passing into the /token request matches the one used in the /authorize request?

If you’re not already referring to it, I recommend following our guide that walks you through the authorization code with PKCE flow.

1 Like

Yes I’m following the PKCE flow guide, thanks. I’m past the invalid client error on my call to Token but now with this request:

https://myoktapreviewurl.com/oauth2/v1/token?&code_verifier=cBadfaHuveSgCoKG8Ompw0vracL-Dn8Bwdabc4caoTo&grant_type=authorization_code&redirect_uri=https://localhost:44385/Login&client_id=abczezpdeffJJjnb10gtr57&scope=openid

I get this error:

“error”: “invalid_grant”,
“error_description”: “The authorization code is invalid or has expired.”

is the code_verifier the only thing that connects my Authorize call to my Token call (along with client id)? In my Token call I am passing the code_verifier that I used to generate the generate the code_challenge in my Authorize call.

The code that you send to the token endpoint is the one that Okta returns to your callback route (redirect_uri). Its lifetime is 5 minutes and is tied to the specific authorization flow that issued it.

So, yes, the token call should be passed both the code_verifier used to generate the code_challenge in the authorize call AND the authorization code (as ‘code’) that Okta returned for the same authorize call. Just make sure you make the request to the token endpoint within the 5 minutes that that token is valid!

1 Like

Ok I have this working now thank you! There was an issue with my .NET code calling the Token endpoint and this appeared to invalidate the Authorization Code. Fixed my code and now Token endpoint works!

I do have a question back on the Authorize call though - I see that sessionToken is an optional parameter. From my tests with the Authorize call it seems that I only get back a code if I pass a sessionToken. So is sessionToken required to get back a code?

Thanks!

The sessionToken needs to be passed in the authorize call if an Okta session does not already exist in the user’s browser (session cookie called ‘sid,’ set on the Okta domain), but you want the user to not be redirected to Okta to login (which would happen if you drop your /authorize call in a browser without a sessionToken).

You might want to check out this guide if you’re not sure how to get the sessionToken: https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curl-Postman

Got it! My case is a bit different as I’m doing this from a client windows app rather than a web app. So if I’m understanding correctly I need to establish the Okta session for the user (within my client app), get the sessionToken and then use that in my call to Authorize.

1 Like