Okta and OpenID - Response Type as id_token instead of Code
Hello, We are setting up okta SSO integration. We had to setup Okta application as below image. For this to work and get all profile attributes as part of response token, we had to send Resoponse_Type as ID_token instead of Code. Seems Pega by default its setting response_type as Code (see below url form from debug logs). Is there a way to change this to id_token instead of Code. ** Well known configurations says "response_types_supported":["code","token","id_token","code id_token", "code token","id_token token","code id_token token"]If any once has faced similar problem please reply
Pega Generated URL from debug logs: (auth.oidc.OIDCClientHandler) DEBUG - Constructed authorization URL for OIDC provider : https://xxxx.okta.com/oauth2/v1/authorize?redirect_uri=https%3A%2F%2Fxxxxx-yy.pegacloud.io%2Fprweb%2FPRAuth&client_id=0oaa3070gTNLBlCry5d6&scope= openid email profile &state=2076dfcc92122b9f8effdbefbf9bc0a926c19e6a075b3caf7e63caae78d9bebb_app/default &nonce=9f86244e409c6514524a23cc3394f057e5c8b41f82e56076bfa88cbe146fa518 &response_type=code
Expected URL:
Hello, We are setting up okta SSO integration. We had to setup Okta application as below image. For this to work and get all profile attributes as part of response token, we had to send Resoponse_Type as ID_token instead of Code. Seems Pega by default its setting response_type as Code (see below url form from debug logs). Is there a way to change this to id_token instead of Code. ** Well known configurations says "response_types_supported":["code","token","id_token","code id_token", "code token","id_token token","code id_token token"]If any once has faced similar problem please reply
Pega Generated URL from debug logs: (auth.oidc.OIDCClientHandler) DEBUG - Constructed authorization URL for OIDC provider : https://xxxx.okta.com/oauth2/v1/authorize?redirect_uri=https%3A%2F%2Fxxxxx-yy.pegacloud.io%2Fprweb%2FPRAuth&client_id=0oaa3070gTNLBlCry5d6&scope= openid email profile &state=2076dfcc92122b9f8effdbefbf9bc0a926c19e6a075b3caf7e63caae78d9bebb_app/default &nonce=9f86244e409c6514524a23cc3394f057e5c8b41f82e56076bfa88cbe146fa518 &response_type=code
Expected URL:
(auth.oidc.OIDCClientHandler) DEBUG - Constructed authorization URL for OIDC provider : https://xxxx.okta.com/oauth2/v1/authorize?redirect_uri=https%3A%2F%2Fxxxxx-yy.pegacloud.io%2Fprweb%2FPRAuth&client_id=0oaa3070gTNLBlCry5d6&scope= openid email profile &state=2076dfcc92122b9f8effdbefbf9bc0a926c19e6a075b3caf7e63caae78d9bebb_app/default &nonce=9f86244e409c6514524a23cc3394f057e5c8b41f82e56076bfa88cbe146fa518 &response_type=id_token
OKTA Application implicit grant type:
DirecTV
US
This is resolved as part of SR (INC-166086)
Root cause description:
A defect or configuration issue in the operating environment - Additional attributes implemented at OpenID Okta Idp were not getting passed to Pega in the default OpenID flow.
Solution type: Local Change - Pega Rule Solution description: Additional attributes are getting passed in D_pzSSOAttributes page by implementing following changes in OpenID Auth service rule - 1) Add the userinfo endpoint url in the Authentication flow. 2) In Advanced Configuration, Set Client Authentication scheme to POST 3) In Advanced Configuration , set send access token as Authorization Header. 4) Okta IDP to make changes to pass custom attribute to userinfo endpoint url.