tidy9 (tidy9) asked a question.
Hi everyone!
I'm looking into implementing Open ID Connect authentication in a Web app and I was working on a test app using an Okta developer account when I encoutered a weird behavior with error handling.
Let's say my test app uses an Authorization code flow and has implicit mode disabled. If I redirect the user to the /authorize endpoint with the redirect_type set to 'token' it is supposed to return an error which is what happen.
However, the HTTP 302 response I get from Okta redirects the browser to a location that looks like :
Notice the hash ('#') character before the query parameters. Isn't it supposed to be a question mark? Note that when authentication is successful the redirect location is correctly formatted with a ?. I have not tested with a real Okta identity provider so I don't know if that problem would happen in a production environment. However that makes it quite difficult to intercept authentication errors while working on a test project with an Okta developers identity provider.
Hi Nathan,
As you are specifying token as your response_type, `query` is not supported as the response_mode. When you are using implicit flow and you do not supply a response_mode, Okta defaults to returning the response via a hash fragment, as you are seeing. This behavior is covered in our OIDC reference over here.
If you remove your response_type OR change your response_type to `code` and otherwise generate a request that will fail (such as for a non existent scope or a user not assigned to the app), you should see the error instead returned as a `query` parameter.