I have just set up a new project with my team under my company’s /default server. I have a script in Postman that logs the user in with the /authn endpoint using a username and password which gets a session token that I can use in the /authorize endpoint. However, whenever I hit the /authorize endpoint and try to get the token and id_token back from the /default server, it says that only code is configured response type even though I see “token id_token” under /.well-known/openid-configuration. here is an example call (of course with the proper session token and client ID):
GET https://oktapreview.com/oauth2/default/v1/authorize?session_token=propersessiontoken&client_id=client_id&redirect_uri=http://localhost:3000/login/callback&response_type=token%20id_token&scope=openid&state=&nonce=nonce&response_mode=form_post&prompt=none
I have confidence in the script because it is working for another application and because I have tried just hitting the /authorize endpoint outside of the script in just a regular Ppostman call. Is there some something missing in the Okta setting that is not allowing me to do token id_token? I am not able to see the settings because another team at my company is in charge of all things Okta.
I actually just found out that we are only supporting the PKCE flow and not the implicit flow anymore. However, I have tried to adjust my scripts so that I can make a call to the /authorize endpoint to get the code back instead, but I am confused as to how I can do this without having to log in after the call is made in Postman, if that makes sense. Would passing in a session token allow me to not have to have a prompt of login?
oauth2/default/v1/authorize?client_id=clientId&redirect_uri=http://localhost:3000/login/callback&response_type=code&scope=openid&state=state&nonce=nonce&response_mode=fragment&code_challenge_method=S256&code_challenge=challenge
Yes, if you add a sessionToken, to the /authorize request, you will have fulfilled the primary auth requirement and you should immediately see the redirect to the specified redirect_uri. Note that if your OIDC application requires additional authenticators to be verified, the sessionToken will be insufficient.
This guide walks through how to do this: How to get tokens for an OIDC application without a browser using curl/Postman | Okta Help Center
