Auto login via previously generated access token


There is requirement that allow auto login to Okta when the previously generated access token is provided.
Is there any Okta feature that can allow auto login without user password but by other means such as generated access token?
User should be logged in from any other device as long as valid access token presented for a given user.
(Looking for magic link kind of option where token encapsulated into access token for future use)


I am not sure I understand. Access token is for your app to identify the user and log them in. If you have a valid access token, wouldn’t any of your apps use that to identify the user? What is the use case for the Okta auto login? I mean, why do you need the Okta session?

Generally, using a token generated on one device to login on another would be considered a security risk. Having said that, a long shot attempt (not sure if it will work) is, if you are using custom domain on Okta, you can probably pass around the Okta session cookie?

Could you describe a bit more about your setup?

There are a couple of ways to go about this currently.

If you have 3rd party cookies enabled, have a valid Okta session, and are trying to share that session with another app in the same browser you could have the application check if session exists.

If you don’t have 3rd party cookies, or want to try to share tokens across different apps not running in the same browser there is no current supported solution to do this. You could have a service to send tokens to that the other application could download from at startup if available. If running in the same browser maybe do a post message. Any of these solutions would have to be a custom solution.

For a magic link type of solution I recommend submitting it to Okta Ideas.

Thank @gsvivek and @erik for reply.

In short, use case is that we need do an integration with Google where Google trigger OAuth flow (ie. To Okta) and save the access token at relevant user’s Google account (via Browser Google session). Later, when user access pages, when there is not Okta session, Google will share the access token and with that we need to log in the user to Okta without user key-in username password.

@gsvivek I don’t this session token works as it can be used one-time as per my understanding.

@erik we are looking at any platform and any browser that user might not have a Okta session.

Any thought on how to archive this?

I actually meant the session cookie itself and not session token, if you are using custom domain. But looking at your use case, don’t think that will work.

If you have Google, you can probably try adding it as an IdP on Okta and then trigger a login via Google session into Okta and from Okta into your apps?

Thanks @gsvivek. Google login there but in our use case not all are having Google login. So, we need to consider others as well.