One of my apps requires the authorization code flow to be initiated via POST request when signing a nonce. I notice that when POST is used, Okta will return a HTTP 404, whereas a GET will succeed.
Note: When making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can’t use AJAX with this endpoint.
We have a PSD2 compliant banking application that would require HTTP POST for the authorization code flow, as we need to pass a JWT token to be signed in the nonce field.
Are there any customization options which could be used to work around this POST limitation?
I’ve been reading the Scopes and supported endpoints documentation (/docs/guides/implement-oauth-for-okta/scopes/) and I see POST is supported when updating a resource:
Are there any additional options available which could help me achieve this when using a custom authorization server(/docs/guides/customize-authz-server/overview/), similar to the default one in Okta Developer edition?
Here’s a successful login to the app via HTTP GET:
The doc you referenced ("/docs/guides/implement-oauth-for-okta/scopes/") is specifically for the Okta API endpoints (Users, Groups, etc). You would still make a GET request to /authorize so I’m not sure what you meant.
Is there a reason why you need to pass a JWT in the nonce parameter?
It includes the standard OIDC claims plus some additional fields for bank transaction data. (dummy info of course for this example.)
we can move this JWT from the nonce field to a “custom” field if needed, but as you can guess, this isn’t something we can pass easily using a GET due to the payload size, so a POST is used instead.
I’m aware of the link about PSD2, but that doesn’t really help me, that’s just talking conceptually.
For us to consider adding our application to the okta directory at some point in the future, we would need to figure this part out.