Widget using pkce

gvolop · July 20, 2021, 2:24pm

i’m using widget with pkce: false, and responseType: ['token', 'id_token'], (OIDC web application)

the token& tokenId should pass as query param to my redirect URI , but… there is no query params at all.

when i use responseType: ['code'] i get the code in the params.

constractor: 

this.widget = new OktaSignIn({
      el: '#okta-signin-container',
      baseUrl: 'https://XXXX.okta.com',
      clientId: 'CCCCCC',
      redirectUri: 'http://localhost:......',
      authParams: {
        issuer: 'https://XXXX.okta.com/oauth2/default',
        pkce: false,
        responseType: ['token', 'id_token']
      }
    });

ngOnInit() {
    this.widget.showSignInAndRedirect();
  }

what could it be?

okra-okta · July 20, 2021, 4:22pm

When you set PKCE to false and responseType is ['token', 'id_token'], then you are using the implicit flow and the tokens are returned in a fragment.

If id_token or token is specified as the response type, then query isn’t allowed as a response mode. Defaults to fragment in implicit and hybrid flows.

gvolop · July 20, 2021, 9:25pm

if the data came in the fragment, so is available in angular(frontend) only?

i’m trying to use the widget and give my api route(server) as the redirect url,
in my api , i need to verify the token and pull the user info from the token to grant access to my existing app.

is there any other way to do it?
how can i verify & get user info from server using the “code” that came from okta login ?

okra-okta · July 20, 2021, 10:27pm

If you’re using showSignInAndRedirect then I think you need to parse the authorization code from the url and exchange it for tokens via the /token request. You can also check out the Okta Auth JS library:

You can also check out the Okta Angular sample app as well. This one uses the widget:

gvolop · July 21, 2021, 6:43am

the redirectUrl sent to my server (Elixir) so i can’t use fragment,
when i try to use ‘code’, the code passed correctly to server route.

but how can i get the token from server code? (in Elixir server) (should is it possible?!)

the links you sent and also my research are all about angular or JS .
where can i find simple rest api docs for Okta auth api ?