Im using saml auth for employees at my company…and they goal is to be able to have them login to a OIDC application.
I have got it to the point where okta does the authentication redirects me to my OIDC application, but it only gives me a ID_token. I need a access token so I can load data from my API.
Not sure what the best solution is here. I could start using the id_token to validate API calls, but I hear that is the wrong approach.
Hey @kdavis - can you provide some detail on how you have this set up? More info on your configuration, or a network trace of the authentication redirect would be helpful.
The goal is to have employees login to our customer application. I have two Okta Orgs. One for our employees and one for our customers. I’ve set up Okta Org2Org from Employee org -> customer org (inbound saml).
On our customer org, we have a OIDC application. On this application I’ve set up Login Initiated by ‘Either Okta or App’. And for the login flow I have ‘Send ID Token directly to app (Okta Simplified)’. I then use the App Embed link it gives me for my Relay state on my saml auth from my other org.
Our customer application is a SPA application. We us Okta js to sign in customers and retrieve access tokens via the authorize route using the sessionToken okta gives us. I would like to do the same thing if possible for employees.
Thanks for the detailed explanation. If I’m understanding correctly:
Customers (users in the customer org) log into the SPA by visiting the SPA directly and logging in using Auth.js
You want employees (users in the employees org) to be able to click a chiclet on their employee dashboard and be redirected/automatically logged in to the SPA
This is working, but you’re landing on the SPA with only an ID token (not an access token)
That’s correct. I do API authorization using access tokens, and since I dont have one no data can be loaded. Not sure if i should just switch to using id_tokens on api authorization.
Maybe I need to be using id_token’s on my internal api’s to do authorization, since all I care about is who is logged in. Access Tokens from what i’m reading are used to have access to resource servers?