We currently have a mobile application that is authenticating using the Resource Owner Password flow (calling /token with email/password). I understand this is not the optimal flow but we are trying to configure this particular mobile app to work with Okta with minimal redevelopment effort.
This approach has been working for us for the majority of our user base. However, we recently integrated an Azure AD instance to serve as an external IDP for a portion of our user base. Some initial tests seem to indicate that we will not be able to use the same ROPC authentication approach for these users – calls to the OAuth API to authenticate fail for these users and we see a corresponding error log indicating “PASSWORD_BASED_LOGIN_DISALLOWED”. This makes sense given that Okta is not in possession of the actual credentials and needs to defer to the Azure AD instance to authenticate.
We are using the Okta Widget for our web application so this handles the Okta > Azure > Web App handoff process on its own, and this flow works as expected for Federated users.
My question is: is there any way to handle this Federated Authentication flow entirely through an API or Okta SDK so we can leverage our existing login screen within our mobile app? It would be a significant change to require federated users on mobile to login using our online login portal or Okta Widget – we do recognize this as an option, just one that we are trying to avoid if possible.
I see this early access feature in the API docs: Authentication | Okta Developer
Am I to understand that this would allow us to initiate a login flow for one of these Azure AD users?
Thank you in advance!