/v1/authorize API call stopped to work after migrating to Integrator free plan

Questions OAuth/OIDC
1

We were using custom client for Okta auth integration

oktaOauthClient.authorize(customOktaProperties.getServiceId(), Map.of(
                    "nonce", "23321",
                    "client_id", customOktaProperties.getClientId(),
                    "response_type", "code",
                    "scope", "offline_access",
                    "redirect_uri", customOktaProperties.getRedirectUrl(),
                    "sessionToken", sessionToken,
                    "state", "sdasdas"
            ));
// query params are above
@GetMapping("/{authServiceId}/v1/authorize")
    void authorize(@PathVariable("authServiceId") String authServiceId,
                   @SpringQueryMap Map<String, String> queryParameters);

Okta responds with response: HTTP/1.1 400 Bad Request

I can’t figure out what has been changed and why it stopped to work.

2

Any particular error message returned when the 400 was encountered?

3

Just 400. See lots of req/response headers printed out but body is missing.

response: HTTP/1.1 400 Bad Request

4

That sounds a bit like Error “400 Bad Request” when Redirecting to the /authorize Endpoint with no Error Description | Okta Help Center

Did you update your client ID variable with one from a client created in the new org?

6

Yes, i did, I can get sessionToken via API, so it seems to work partially.

Then I try to get authorization code using sessionToken

and then finally get accessToken in exchange for authorization code

I’ve dowloaded postman collection “API Access Management (OAuth 2.0)” and I see that call to

Get Authorization Code (Requires Inteceptor) looks different,

here is template for call from Postman collection:

{{url}}/oauth2/{{authorizationServerId}}/v1/authorize?client_id={{clientId}}&response_type=code&response_mode=query&scope={{scopes}}&redirect_uri={{redirectUri}}&state={{state}}&nonce={{$guid}}

My old call

  • passes sessionId, I don’t see such param in new API req. How is it supposed to work then? Don’t understand
  • doesn’t have param response_body, new api sets this param toresponse_mode=query

Have no idea how to make it work… Documentation doesn’t give any clue at all, response 400 too unfortunately.

7

I got a bit lost in your response, is the /authorize request is returning a 400, or the /token request? Do you see any errors logged in System Log (in the admin console) for your application when you encounter the 400?

The /authorize endpoint still supports being passed a sessionToken being returned by the /authn endpoint, but that option should really only be used in an Okta Classic org and is not recommended for Okta Identity Engine orgs as the /authn endpoint cannot evaluate Authentication Policies assigned to the application, it can only evaluate against the Global Session Policy of the Okta org itself.

8

My bad, didn’t configure correctly env for postman.

Now I have another problem. Old code uses Feign client. Okta responded with error. Response header contained header “location” I was fetching authoorization code from there. Now Okta responds 200. Still don’t understand how to programmatically get access token using login and password.

9

Phew, glad it was a simple environment issue.

In the response body returned from the /authorize request, do you see a code value inside the page that was returned?

For reference, this article walks through how to complete this flow in postman (albeit, not using our Postman collection): How to Get Tokens for an OIDC Application without a Browser Using Curl/Postman | Okta Help Center

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.