We have custom requirements to handle sending activation emails to users and validate activation token on our side (also accepting password from end-user and set it through API).
We create users on okta, without credentials, setting activate=false, to avoid sending activation email from Okta, then we proactively call activate API to get activation Token (step #2)
We then send activationToken to end user through our custom email provider, then user clicks activate and go to our custom page, where we call Okta API to authenticate using activation (step #3 )
But once this API call is done, activationToken returned from step#2, is not valid anymore and can’t be called again to authenticate user End user could click on the link for any reason , close browser, click again on custom activation link and use it even in another browser, then activationToken won’t be valid anymore, which is inconvenient
Note: Authentication API request using activation Token, is sent from a trusted backend app, with an API token, but not sending User-Agent or X-Forwarded-For headers, though API call returns success response, but only once for given activationToken
My question, is there a way to be able to authenticate with this “activationToken” multiple times within its validity time-frame ?