I have just set up a new project with my team under my company’s /default server. I have a script in Postman that logs the user in with the /authn endpoint using a username and password which gets a session token that I can use in the /authorize endpoint. However, whenever I hit the /authorize endpoint and try to get the token and id_token back from the /default server, it says that only code is configured response type even though I see “token id_token” under /.well-known/openid-configuration. here is an example call (of course with the proper session token and client ID):
GET https://oktapreview.com/oauth2/default/v1/authorize?session_token=propersessiontoken&client_id=client_id&redirect_uri=http://localhost:3000/login/callback&response_type=token%20id_token&scope=openid&state=&nonce=nonce&response_mode=form_post&prompt=none
I have confidence in the script because it is working for another application and because I have tried just hitting the /authorize endpoint outside of the script in just a regular Ppostman call. Is there some something missing in the Okta setting that is not allowing me to do token id_token? I am not able to see the settings because another team at my company is in charge of all things Okta.
Have you enabled Implicit (Hybrid) and the Access and ID Tokens listed underneath as allowed grant types for the OIDC application you created for this integration?
I actually just found out that we are only supporting the PKCE flow and not the implicit flow anymore. However, I have tried to adjust my scripts so that I can make a call to the /authorize endpoint to get the code back instead, but I am confused as to how I can do this without having to log in after the call is made in Postman, if that makes sense. Would passing in a session token allow me to not have to have a prompt of login?
oauth2/default/v1/authorize?client_id=clientId&redirect_uri=http://localhost:3000/login/callback&response_type=code&scope=openid&state=state&nonce=nonce&response_mode=fragment&code_challenge_method=S256&code_challenge=challenge
Yes, if you add a sessionToken, to the /authorize request, you will have fulfilled the primary auth requirement and you should immediately see the redirect to the specified redirect_uri. Note that if your OIDC application requires additional authenticators to be verified, the sessionToken will be insufficient.
This guide walks through how to do this: How to get tokens for an OIDC application without a browser using curl/Postman | Okta Help Center