Using sessionToken how can get access_token and id_token

python

#1

Hi i’m new to okta and i’m trying to integrate it with my webportal to okta using the custom login.

I have login page will get username and password to send to okta using primary authentication api( {{url}}/api/v1/authn). the api got response user details with sessionToken.

so using this sessionToken how can get other access_token and id_token?
can you provide the api list ?


#2

You want to use the OAuth 2.0 authorize route, specifying the sessionToken parameter:
https://developer.okta.com/docs/api/resources/oidc#authorize

Let me know if you have any questions about this!


#3

Hi Tom

Thank you for your replay.

  1. making api call for {{url}}/api/v1/authn – post method with user details
    res: got sessionToken
  2. Api call – https://dev-255595.oktapreview.com/oauth2/v1/authorize?client_id=0oadeindnmS6oN5rN0h7&response_type=id_token token&scope=openid&prompt=none&response_mode=form_post&
    redirect_uri=https%3A%2F%2Fpulse.conviva.com&state=Af0ifjslDkj&nonce=n-0S6_WzA2Mj&sessionToken=20111sGo7p0ZI_pB-lfhCKlb3zCkDF9EV_dHGdlSE85xGow_3Qr7utM

is it will return the callback url to response or how to handle it


#4

Take a look at this thread to know how to get the access_token from session token.
It also has sample code in javascript & .net -


#5

i am using the OKTA widget for authentication.
When signin callback url will get code and state and internally setting the cookies value and python callback url is getting the cookies value, working fine my linux ubuntiu machine.

When i will same code will executing to mac machine not working, the cookies values setting the callback URL okta response but not able to get in same value in python code.
what is the issue?
any browser setting need to change?


#6

@bala Can you post the code that is doing the login and setting the cookie? I’m not sure why Python would see a cookie on Linux but not on Mac.

Safari has some restrictions on third-party cookies, but it sounds to me like you are setting a first-party cookie. If you post your code we can take a look.


#7

Hi nate.barbettini,

Thank you for your quick response.

i have used this github code,

https://github.com/jmelberg-okta/okta-oidc-django-samples.

OktaAuth.min.js and okta-sign-in.min.js these file only setting the cookies in client browser.

  1. When my application is deployed in linux machine then client application on linux or MAC working fine.
  2. The issue is observer while application deployed in MAC platform.

#8

Hmm, that is not an issue I’ve seen before. Do you mean that the server is running on a Mac, or you are accessing the application on a Mac? If the latter, which browser are you using?

In order to debug this, can you provide a set of steps that always reproduce the issue?


#9

Hi nate.barbettini,

Before going to solve this issue one more question i have.

Regarding the logout api

  1. https://dev-255595.oktapreview.com/api/v1/authn to get the session_id

  2. https://dev-255595.oktapreview.com/oauth2/v1/authorize?client_id=0oadeindnmS6oN5rN0h7&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fauthorization-code%2Fcallback&response_type=code&response_mode=query&state=FkSgPf7a6gRQcXt9IBFy0fy5foXIFUS6pYPB6aQhvHpSACdFxh1QJzgBTGHvhzv7&nonce=yG4cCBUwuRBob89woR8YuXeZdXelgk2jlMkZDthZyEdU27tfGHBsuZxrL98ybRW5&display=page&sessionToken=20111f6upKTDrSIBDI17c_C-f-s0Ck28SDBYG6eKEc8fn4nZihxkysH&scope=openid%20profile%20email

query parameter: client_id=0oadeindnmS6oN5rN0h7&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fauthorization-code%2Fcallback&response_type=code&response_mode=query&state=FkSgPf7a6gRQcXt9IBFy0fy5foXIFUS6pYPB6aQhvHpSACdFxh1QJzgBTGHvhzv7&nonce=yG4cCBUwuRBob89woR8YuXeZdXelgk2jlMkZDthZyEdU27tfGHBsuZxrL98ybRW5&display=page&sessionToken=20111f6upKTDrSIBDI17c_C-f-s0Ck28SDBYG6eKEc8fn4nZihxkysH&scope=openid%20profile%20email

  1. http://127.0.0.1:8000/authorization-code/callback?code=th40dAqyHSzO8moJxgu1&state=FkSgPf7a6gRQcXt9IBFy0fy5foXIFUS6pYPB6aQhvHpSACdFxh1QJzgBTGHvhzv7

  2. Using the code generated the access_token and id_token

{‘access_token’: u’eyJraWQiOiJFdHZUWU0tajZRREp3OW5qUTFPMFpGV1hWNGtUbHlVSV9fdm5mSTNpOUU4IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULk9tcUM2UXNOVW1lTHlHSWJkSE5WZXNCeWZYLXkzTjlaemh6U21UejlicHMiLCJpc3MiOiJodHRwczovL2Rldi0yNTU1OTUub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiaHR0cHM6Ly9kZXYtMjU1NTk1Lm9rdGFwcmV2aWV3LmNvbSIsInN1YiI6ImJwYXR0dXNhbXlAY29udml2YS5jb20iLCJpYXQiOjE1MjIzMDMwMzksImV4cCI6MTUyMjMwNjYzOSwiY2lkIjoiMG9hZGVpbmRubVM2b041ck4waDciLCJ1aWQiOiIwMHVkY2VxMHh3MEFvb2pINjBoNyIsInNjcCI6WyJvcGVuaWQiLCJlbWFpbCIsInByb2ZpbGUiXX0.GQRsegWIXx5ieOneqQrP52lSlqX4LyDs17zC9bViCpuI8Y1Y-dJ5-5sILavEy-G9mVuQoKyOrQjulOg9x6VbpCeuzquvSKACaCllHZ9wmezBeDWb8WdDVwbboN-BzBVjr3potoUCTg-AK_-Jw66LuqsLbsxpvxC9urjfkPATDBHkK5wc0-8kid9GUZo5J9zU9jzy7PXasq2q0JJEbYif08W9_ofncTMm40BcR-rhWufMmv6CNx2jE_f-XFgTwdVDE-HWjuj5OPfmmhV2jP6jWWoEnFuFxpjx5Lkuk2QBui-6PNUXk4XjOezj1gRI7tgmFLogE-wKLvzPuiq8amuLgg’, ‘id_token’: u’eyJraWQiOiJFRHA0TzBNa2xJM2xKc2ZWd01ILXRkczhPZnFyclJJeDBTNnk0cHBib1U4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVkY2VxMHh3MEFvb2pINjBoNyIsIm5hbWUiOiJCQUxBIiwiZW1haWwiOiJicGF0dHVzYW15QGNvbnZpdmEuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi0yNTU1OTUub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZGVpbmRubVM2b041ck4waDciLCJpYXQiOjE1MjIzMDMwMzksImV4cCI6MTUyMjMwNjYzOSwianRpIjoiSUQuMElIeDRldXlHVXFjX1VHUjJhZVV3M2FvaDNYMkFpTW93eUhRcmJLYWxQYyIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZGNlcTB2ZDl1eGJVUjMwaDciLCJub25jZSI6InlHNGNDQlV3dVJCb2I4OXdvUjhZdVhlWmRYZWxnazJqbE1rWkR0aFp5RWRVMjd0ZkdIQnN1WnhyTDk4eWJSVzUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJicGF0dHVzYW15QGNvbnZpdmEuY29tIiwiYXV0aF90aW1lIjoxNTIyMzAzMDM2LCJhdF9oYXNoIjoiM3FoRWdHVFdZTzgwcGU4R2ZXVGxGdyJ9.Xrhjf5GhPfrg_NpZUXLs0L-mQFCmmwbAsju2guHOvItwcRayOBSKvc4Y0sq_UyxdVziTfo-d_AfbBU1yxAYFWenyChU3OseXQQziHuyYX08NCveBShs7WjxJKp5Cg-wtrrqTrZ3p3NU2qZqrSRhkWPUrt5dnEfqthH-widN_KiZWy108hZjTWCR5ZcRPHnraYixApsMpwkoYiOUX_IxUofUQBc1UVFqTE4atmNbtgVZXyg18m_kY365EmIUwGWWnzTY0BpL0-_AI4dk1CnTUB4Ak6ldfdvQnfJQYDxls8jx1dJWaWSJXvTh-hkVyTtkJOw9uNSL84cajFyhRpLC8pw’}

  1. using the id_token have to call logout api.

https://dev-255595.oktapreview.com/oauth2/v1/logout?post_logout_redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Flogin&
id_token_hint=eyJraWQiOiJFRHA0TzBNa2xJM2xKc2ZWd01ILXRkczhPZnFyclJJeDBTNnk0cHBib1U4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVkY2VxMHh3MEFvb2pINjBoNyIsIm5hbWUiOiJCQUxBIiwiZW1haWwiOiJicGF0dHVzYW15QGNvbnZpdmEuY29tIiwidmVyIjoxLCJpc3MiOiJodHRwczovL2Rldi0yNTU1OTUub2t0YXByZXZpZXcuY29tIiwiYXVkIjoiMG9hZGVpbmRubVM2b041ck4waDciLCJpYXQiOjE1MjIzMDMwMzksImV4cCI6MTUyMjMwNjYzOSwianRpIjoiSUQuMElIeDRldXlHVXFjX1VHUjJhZVV3M2FvaDNYMkFpTW93eUhRcmJLYWxQYyIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZGNlcTB2ZDl1eGJVUjMwaDciLCJub25jZSI6InlHNGNDQlV3dVJCb2I4OXdvUjhZdVhlWmRYZWxnazJqbE1rWkR0aFp5RWRVMjd0ZkdIQnN1WnhyTDk4eWJSVzUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJicGF0dHVzYW15QGNvbnZpdmEuY29tIiwiYXV0aF90aW1lIjoxNTIyMzAzMDM2LCJhdF9oYXNoIjoiM3FoRWdHVFdZTzgwcGU4R2ZXVGxGdyJ9.Xrhjf5GhPfrg_NpZUXLs0L-mQFCmmwbAsju2guHOvItwcRayOBSKvc4Y0sq_UyxdVziTfo-d_AfbBU1yxAYFWenyChU3OseXQQziHuyYX08NCveBShs7WjxJKp5Cg-wtrrqTrZ3p3NU2qZqrSRhkWPUrt5dnEfqthH-widN_KiZWy108hZjTWCR5ZcRPHnraYixApsMpwkoYiOUX_IxUofUQBc1UVFqTE4atmNbtgVZXyg18m_kY365EmIUwGWWnzTY0BpL0-_AI4dk1CnTUB4Ak6ldfdvQnfJQYDxls8jx1dJWaWSJXvTh-hkVyTtkJOw9uNSL84cajFyhRpLC8pw&
state=FkSgPf7a6gRQcXt9IBFy0fy5foXIFUS6pYPB6aQhvHpSACdFxh1QJzgBTGHvhzv7

Here the logout api is not working 403 forbidden error getting


Get an access token manually for testing
#10

Thank you for the detailed steps. I am going to try to reproduce this myself.

@bala What type of application are you building? Can you help me understand how it relates to your existing portal and to Okta?


#11

I am using python django framework based web application.


#12

My scenario may be different?

Relatively new to okta. I have been using the sign in widget and api’s so am familiar with several. However, this client wants to use the signin widget and then redirect to a custom dashboard. I only have the sessiontoken provided by the signin widget response.

How do I get the user_id as simply as possible without changing everything to some other scheme? I have to pull over the specific user’s information and apps, using those APIs, but right now, I only have a sessiontoken from the signin widget.

Thanks!