Retrieving a session cookie via OpenID

Questions OAuth/OIDC
1

Hi All,

I am currently using the “Authentication API” to request a token using

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(“http…”);

which then provides me with a token. Then I proceed to create a HttpClient request to

HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add(“Accept”, “/”);
HttpResponseMessage responseSession = await client.GetAsync(“https://dev-xxxxx.oktapreview.com/oauth2/v1/authorize?client_id=xxxxxxxxxx&response_type=id_token&scope=openid&prompt=none&redirect_uri=http://xxxxxxxxxxxxxx.net&state=Af0ifjslDkj&nonce=n-0S6_WzA2Mj&sessionToken=” + token);

but I keep getting 404 response.

I am following instructions from: Work with Okta session cookies | Okta Developer

I have made sure that the redirect_uri is within “Trusted Origins”.

Any ideas on what I could be doing wrong?

Many thanks!

2

Hey @Robert01, thanks for posting. I’m trying to figure out exactly what you’re trying to do.

There are a couple ways you can configure authentication:

  1. You set your own cookie
  2. You accept access_tokens sent by the user’s browser

If 1, you let the server start the redirect using a .NET OpenID Connect library (your user’s browser is redirected, then your server parses the results on the redirect uri). These libraries do correct validation for you, so you’ll just get the user info and store it in your own cookie. This is the authorization code flow.

If 2, you let the browser start the redirect (you could use okta-auth-js for this) to get an access_token. The browser is then expected to send that access_token in every request to your server. Each endpoint on your server should validate any access_token sent. This is the implicit flow.

3

Hi @lboyette, I am using the Okta authentication API to make a HTTP request with the username and password and obtaining an access token. From there, I followed the documents from Okta, to retrieve a session cookie via OpenID Connect Authorization Endpoint.

Reason why I am doing that is because we want to use our own custom login portal, and have the API just authenticate and create the Session cookie and then use that session cookie to literally login the user.

In regards to the scenario 1, does the parsed results in the redirect uri, need to have some code to receive the session?

I am currently using ASP.NET 4.6.x.

4

When you say:

literally login the user

Are you talking about getting the user to the end-user chiclet page?

5

Hi Tom,

Which is the end-user chiclet page?

6

This thing:

Single_Sign-On__SSO__-_Identity_Access_Management___Okta
Single_Sign-On__SSO__-_Identity_Access_Management___Okta.png703×408 59.5 KB

7

Hi Robert,
I read your comments and need your help if you can.
We are using the same approach by calling the Authentication API to authenticate the user using Username and Password. But after that when we are stuck in creating the cookie in user’s browser using OpenID Connect Authorization Endpoint method.
Can you please share the code for how can we achieve that?

Thank you very much in advance.

8

Hi @jaynishp

Please check out this document. In short, you would need to take the sessionToken from the response from /api/v1/authn and pass it in the browser to open a session in Okta.