Api /api/v1/session/me does not work for me

joelbloch · May 9, 2023, 9:45am

Hello,

I use either Postman, or call apis with a nodejs axios middleware where I enable the withCredentials: true.
I call the following sequence:

POST https://{{oktaDomain}}/api/v1/authn
GET https://{{oktaDomain}}/api/v1/session/me

where my okta domain has the form “subdomain.okta.com”. it results in success and I get a sessionToken. It ends in 404.

I check the set-cookie in the response from Okta, I get the following:

set-cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
set-cookie: autolaunch_triggered=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
set-cookie: JSESSIONID=D5580D3E88377D8162699772E3D6E440; Path=/; Secure; HttpOnly

The sid cookie is empty, and it seems this is the cookie I need to identify the session in the following requests.
Why is this cookie value empty? How do I correct that?

Thanks!

Sherry · May 9, 2023, 3:28pm

Can you post the code you’re using with nodejs?

joelbloch · May 10, 2023, 2:14pm

Hello Sherry,
Thanks for your help.

I define several functions in nodejs, which I copy here. When I chain primaryAuthentication and getCurrentSession, I get 404.
It is easily reproducible with Postman also.

Regards,
Joel


export const axiosInstance = axios.create( {
   timeout: 30*1000,
   withCredentials: true
})

const oktaConfig = {
   headers: {
      Accept: 'application/json',
      Authorization: `SSWS ${oktaAPIKey}`,
      'Content-Type': 'application/json',
   }
}

export async function primaryAuthentication(login: string, password: string): Promise<tOktaAuthenticationResult> {

   try {
      const authUrl = `https://${env.OKTA_DOMAIN}/api/v1/authn`

      const authResponse = await axiosInstance.post(authUrl, {
         username: login,
         password: password,
         options: {
            multiOptionalFactorEnroll: true,
            warnBeforePasswordExpired: true
         }
      }, oktaConfig)

      var token: string = undefined

      if (authResponse.data.stateToken) {
         token = authResponse.data.stateToken
      } else {
         if (authResponse.data.sessionToken) {
            token = authResponse.data.sessionToken
         }
      }

      if (token) {
         const userId: string = authResponse.data._embedded.user.id
         const userProfile: tUser = await getUserById(userId, context)
         return {
            success: true,
            userProfile: userProfile,
            status: authResponse.data.status,
            token: authResponse.data.stateToken
         }
      }
   } catch (error) {
        error.source = cOkta
		throw error
   }
 }
 
export async function getCurrentSession(): Promise<tSessionInfos> {
   try {
      const requestUrl = `https://${env.OKTA_DOMAIN}/api/v1/sessions/me`
      const response = await axiosInstance.get(requestUrl, oktaConfig)
      return {
         sessionId: response.data.id,
         login: response.data.login
      }
   } catch (error) {
      error.source = cOkta
      throw error
   }
}

jmussman · May 12, 2023, 1:58pm

You have to exchange the session token for a session cookie first, then the sessions API will work. Basically that means you need to pass the user’s browser through the Okta org with the session token, and Okta will set the session cookie into the browser, and then redirect the user to where you want them to go. Look at the second topic down from the start of the sessions doc: Sessions | Okta Developer.

joelbloch · May 15, 2023, 9:35am

Hello jmussman, thanks for the help.

I use the following code:

clientAppRouter.get('/login', async (req, resp) => {
   const sessionToken = await okta.primaryAuthentication(req.query.login, req.query.password)
   const redirectUrl: string = (getOktaOutboundUrl(appId)+ `?sessionToken=${sessionToken}`
   resp.redirect(redirectUrl)
})

the function getOktaOutboundUrl retrieves an embed link of a SAML Application in Okta.
It works well: the user is redirected, the sessionToken allows his authentication, a cookie is set on the browser, and the user lands on the target application page.
However, when I trigger getCurrentSession from my code afterwards, it does not work.

It seems that the redirection to the embed link sets the cookie in the browser, but this cookie is not captured by my javascript code running on the server side.

I am not able to logout and delete this cookie afterwards.

I tried to use the OKTA api Create Session from a session token, but I have a hard time understanding how to use the session created to log the user in the SAML application afterwards.

Regards,
Joel

jmussman · May 16, 2023, 1:17am

The session cookie is a first-party cookie after you go pick it up. JavaScript can’t see it, but it is there if you want to pass it with the XHR request. If the getCurrentSession code is the same as above you are simply not sending the session cookie. Try adding { withCredentials: true } to the axios get call.

joelbloch · May 16, 2023, 8:59am

Hello, all my axios requests have withCredentials set to true, if you look at my code:

export const axiosInstance = axios.create( {
   timeout: 30*1000,
   withCredentials: true
})

All my requests use axiosInstance instead of axios.

My question can be boiled down to: how to logout after login with embed link and sessionToken?

Thanks!