Authenticate secondary iFrame application

We have an angular application that we have the Okta widget functioning well with. It sends the access token to our API and the API verifies it and everything works for that.

We also have a native Javascript application that is embedded into the Angular application via an iFrame. We would like to the user to be able to seamlessly enter the iFrame application using the Okta session already created. We have tried sending access token as a URL parameter but that caused stability issues on the iFrame application. I thought that perhaps there was a way to send the OktaId token or the refresh token, to allow the iFrame application to use them to get it’s own Access token, but when I call this.oktaAuth.getRefreshToken() it always returns null.

Anyone come across this before? Thanks in advance.

Here is our widget configuration:
this.signIn = await new OktaSignIn({
logo: “assets/images/xxx/xxx.png”,
el: “sign-in-widget”,
clientId: environment.oktaClientId,
redirectUri: environment.oktaCallBack,
baseUrl: https://${environment.oktaOrg},
authParams: {
pkce: true,
helpSupportNumber: “xxxx”,
i18n: {
en: {
“primaryauth.title”: “xxxxx”,
helpLinks: {
help: “xxxxxx”,
useInteractionCodeFlow: false,

The widget being called:

    el: "#sign-in-widget",
    scopes: ["openid", "profile", "email"], //sampleConfig.oidc.scopes,
  .then((tokens: Tokens) => {
    // Remove the widget
    //this.oktaAuth.getRefreshToken() returns null
    //the tokens in the callback here are Access and IdToken
    // In this flow the redirect to Okta occurs in a hidden iframe
  .catch((err: any) => {
    // Typically due to misconfiguration
    throw err;