Okta: Failed to get authorization code through API call

Question

I'm integrating Okta to my own IdP server by using Okta's API.

I'm implementing the Authorization code flow by following the steps below:

1. In my own server, use the /api/v1/authn endpoint to get the sessionToken.

2. Use the sessionToken to obtain the authorization by calling this endpoint: /oauth2/v1/authorize?client_id=" + clientId + "&sessionToken=" + sessionToken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirectUrl + "&state=evanyang&nonce="

It's supposed to return a response with status code 302 and with the Location header containing the redirect url as well as the code value.

However, I keep getting a response with status code 200 and without the Location header, with a html body saying "You are using an unsupported browser." and "Javascript is disabled on your browser."

According to the API documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request, the sessionToken parameter is sufficient to do this: An Okta one-time sessionToken. This allows an API-based user login flow (rather than Okta login UI).

Am I missing any extra requirement for getting the authorization code through API? Please help.

Thanks in Advance :)

Answer 1

This issue is caused by obtaining session id between obtaining session token and authorization code. Once the session token is used to get session id, it becomes invalid, which means it cannot be used to get authorization code anymore.

According to Okta, the Authorization Code grant type and the Authorization endpoint and be used through a API-based web app too, as long as the session token is provided in the request: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request. In fact, one can use this script(https://github.com/SohaibAjmal/Okta-OpenId-Scripts) to finish the flow.

Answer 2

The Authorization Code grant type and the Authorization endpoint in there are meant to be access through a browser, not a non-browser client.