Unable to validate id_token received from Okta Dashboard


I am trying to login using Okta Dashboard and receiving id_token but I am unable to validate the id_token and get user details. I found some links online but they did not help. Can someone help me with it?

Are you referring to the actual Okta end-user dashboard? If so, why are you trying to validate this token?

If not, is this a custom OIDC application you created in our org?

Yes, it is a custom OIDC application and Application type as Single Page Application.

I am clicking on the apps on the dasboard and it redirects me to my application with a token. Is it an id_token or access token?

When I try to logout, then it does not behave in the same manner as when I login through initImplicitFlow() method.

Ah, so you created a custom applications. In your screenshot, you can see that the ID token is being returned back as a URL fragment (#).

Is your application able to parse that url to gather the ID token from its callback route (e.g. the redirect_uri you provided in the /authorize request)?

Andrea is right on target but to expand a little bit:

  1. The ID token is in the callback URL after the #. You can grab that base-64 string and put it into a parser, Okta’s parser is at https://token.dev.

  2. Implicit flow is deprecated in OAuth, you should really be using auth-code (web app) or auth-code + PKCE (single-page or native app). The reason is that the token is passed through the browser, which makes it insecure. You just read it yourself…

  3. If you are using the SDK, you can retrieve the token from the SDK after you land at the callback page in the application.

  4. Logout is tricky: do you want to log out of just your application, or do you want to log out of Okta too? If just the first, simply kill the application session. If the second, use the [your org]/oauth2/v1/logout endpoint.

1 Like