authClient.session.get() hitting 404 error on api/v1/sessions/me

I am attempting to implement the Okta Sign-In Widget for a serverless (JAMstack) single page web app.

The okta-signin-widget library is loaded from the CDN using:

<link rel=stylesheet href=https://global.oktacdn.com/okta-signin-widget/4.0.0/css/okta-sign-in.min.css>
<script src=https://global.oktacdn.com/okta-signin-widget/4.0.0/js/okta-sign-in-no-jquery.js></script>

Instantiating OktaSignIn seems to work fine. And the promise from authClient.session.get() gets resolved, but it also triggers a 404 error.

const oktaConfig = {
   baseUrl:  'https://dev-XXXXXX.okta.com',
   clientId: 'XXXXXXXXXXXXXXXXXXXX',
   authParams: {
      issuer:       'https://dev-XXXXXX.okta.com/oauth2/default',
      responseType: ['token', 'id_token'],
      display:      'page',
      },
   };
const oktaSignIn = new window.OktaSignIn(oktaConfig);
if (!oktaSignIn.hasTokensInUrl())
   oktaSignIn.authClient.session.get().then(console.log);  //resolves with: { status: 'INACTIVE' }

The result is:

Failed to load resource: the server responded with a status of 404 ()
https://dev-XXXXXX.okta.com/api/v1/sessions/me

I currently have node serving up the static web app on: http://localhost:7777

How do I fix this 404 error?

Not quite sure, what exactly you are trying to do, and on which stage it fails for you, but to some degree it makes sense, if there is no session yet. https://developer.okta.com/docs/reference/api/sessions/#get-session states that If the session is invalid, a 404 Not Found response will be returned.

But why are you trying to check the session? It seems from your config, that you are up to OIDC flow, which normally doesn’t require you going into session business on your own. I’d expect something like https://developer.okta.com/code/javascript/okta_sign-in_widget/#sign-in-to-your-application Or am I missing something?

I’m having the exact same issue with the 404 error. What I am trying to do is just follow the tutorial for using the Okta SignIn Widget. Just trying to learn at this point. It seems though, that since the session cannot be retrieved, the sign in widget is displayed every time the user refreshes the page.

I could be wrong, like I said I’m just learning, but I thought the session would be a way to keep the user logged in for a period of time without re-submitting credentials.

The call to renderEl() displays the widget just fine and once the user signs in it even returns a session with status 'ACTIVE' plus a token. However, the subsequent call to authClient.session.get() still returns {status: "INACTIVE"}.

I can’t figure out how to tell if the user is signed in.

const oktaConfig = {
   baseUrl:  config.oktaDomain,  //"https://dev-XXXXXX.okta.com"
   logo:     'https://dnajs.org/graphics/bookmark.png',
   features: { registration: true },  //needed to create user account
   };
const oktaSignIn = new window.OktaSignIn(oktaConfig);
const handleSignIn = (response) => {
   oktaSignIn.remove();  //close widget
   if (response.status === 'SUCCESS')
      oktaSignIn.authClient.session.get().then(handleSession);  //{status: "INACTIVE"} why?
   else
      console.log('Sign in failed');
   };
const handleSession = (session) => {
   if (session.status === 'ACTIVE')
      console.log('>>> User logged in:', session);  //never gets here, why?
   else
      oktaSignIn.renderEl({ el: '#okta-login-container' }, handleSignIn);
   };
oktaSignIn.authClient.session.get().then(handleSession);

Is authClient.session.get() the correct way to check the user’s logged in status?

oh, now I see. I think it’s b/c after you got SUCCESS you have a session token on hands, but not the session cookie which would mean, that you have a session.

From the documentation you are supposed to do something like:

function success(res) {
  if (res.status === 'SUCCESS') {
    res.session.setCookieAndRedirect('https://example.com/dashboard');
  }
}

only after that, I believe, you will have a session cookie, hence the session

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.