We are using OKTA OpenId Connect rest API for authentication, when I call /oauth2/v1/authorize with session token, client id and other parameters I am getting html form as response with token and other response parameters as hidden fields


#1

We are using OKTA OpenId Connect rest API for authentication, when I call /oauth2/v1/authorize with session token, client id and other parameters I am getting html form as response with token and other response parameters as hidden fields. I am expecting a json output not html form page. I might be missing something, appreciate any inputs
Here is the response I am getting
redirect uri html with these as hidden fields.

 <form id="appForm" method="post" name="oauthResponse" action="redirecturi">
 <input type="hidden" name="state" value="af0ifjsldkj"/>
 <input type="hidden" name="id_token" value="id_token"/>
 <input type="hidden" name="access_token" value=access token"/>
     <input type="hidden" name="token_type" value="Bearer"/>
     <input type="hidden" name="expires_in" value="3600"/>
     <input type="hidden" name="scope" value="email&#x20;openid&#x20;profile"/>
 </form>

#2

The format of the authorization response is controlled via the response_mode parameter. Okta supports several modes including query, fragment, form_post, and okta_post_message (proprietary).

The authorization endpoint is not a JSON API. Its intended to be a front channel endpoint that you redirect the browser to. The token endpoint is the back channel endpoint that returns JSON.

Are you trying to use OIDC from a Single Page App? If so, you might want to look at using okta_post_message which can use HTML5 PostMessage with a hidden iframe.


How to implement access_token generation via rest api
#3

Thank you mcguinness. This is a regular spring web application, so I guess I have to use token endpoint as you suggested but I am getting missing client credentials with token end point even though I am providing client id and secret.
Our requirement is if the user exists in OKTA, authenticate the user, generate token and redirect user to a different domain with the token.
These are the steps I was trying before.
1.authenticate user with /api/v1/authn call
2. generate token using /oauth2/v1/authorize. since this is returning html response, I can’t use this as you mentioned.
so if I use /oauth2/v1/token, do I still have to authenticate the user using /api/v1/authn or can I directly use /oauth2/v1/token with password grant type?

Here is my api req.
https://dev-xxxxxx.oktapreview.com/oauth2/v1/token

	    params.add("client_id", "0oaartrttr9HXJEv0h7");
	    params.add("client_secret", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
	    params.add("username", "wwerwer@gmail.com");
	    params.add("password", "Oktaxxxxxxx");
	    params.add("grant_type", "password");
	    params.add("scope", "openid offline_access");

#4

you should be able to use the password grant_type directly for your use case and avoid going through AuthN API. You will need to use client credentials