We have recently configured the siteminder solution as OIDC authorization provider and configuring a client for Authorization code grant flow.

While making a request to /authorization end point , we are successfully able to obtain code on the configured redirect_uri (hitting a get request in browser and after successful user challenge/authentication)

After that , when we are requesting a POST on /token endpoint , it loads the login page configured for our authentication scheme.

Are we supposed to add SMSESSION cookie to the POST request?

Are any other cookies required in this request?

Do you have any sample request response formats for this use case?

Release : 12.8

Component : SiteMinder

In the POST request SMSESSION cookie is nor required. But you need to provide authorization code in the request. Without it such error is returned:

{
"error": "invalid_request",
"error_description": "Specify authorization_code as grant_type."
}

POST request should have the following headers:

content_type=application/x-www-form-urlencoded
basic_auth=(null)
bearer_token=(null)
ssl_validate_server=0
timeout=60
outgoing_proxy=(null)
pass_cookies=0
ssl_cert=(null)
ssl_key=(null)
referer: https://refererURL/

POST data, something like this:

grant_type=authorization_code
code=<encrypted data>
redirect_uri=https%3A%2F%2Fexample.com%2Fprotected%2Fredirect
state=####
client_id=####
client_secret=####