This article explains how to verify whether applications use the Authorization Code flow rather than the legacy Implicit flow.
- OpenID Connect (OIDC)
- OAuth 2.0
- Single-Page Applications (SPA)
- Web Applications
Modern security standards (OAuth 2.0) recommend the Authorization Code flow with PKCE over the Implicit flow.
To confirm if an application is using the Authorization Code grant type, use the following two methods:
Method 1: Inspect the Authorization Request
Check the authentication request URL sent from the application to the Okta /authorize endpoint. The response_type parameter defines the flow:
-
Authorization Code Flow
The request will contain response_type=code
-
Implicit Flow
The request will contain response_type=token or response_type=id_token
When response_type=code is present, the application receives a temporary code and then makes a separate, secure POST request to the /token endpoint to retrieve the actual tokens.
Method 2: Search Okta System Logs
To identify successful Authorization Code requests within an environment, query the System Log for the specific events triggered during the authorization phase.
-
Log in to the Okta Admin Dashboard.
-
Navigate to Reports > System Log.
-
Enter the following query in the search bar to capture both OIDC and OAuth 2.0 authorization code requests:
eventType eq "app.oauth2.authorize.code" OR eventType eq "app.oauth2.as.authorize.code" -
Note on Event Types:
-
app.oauth2.authorize.code: Indicates an OIDC authorization code request via the Org Authorization Server. -
app.oauth2.as.authorize.code: Indicates an OAuth 2.0 authorization code request via a Custom Authorization Server.
-
-
Click Search and review the
targetfield to identify the application name.
