Hello everyone,
I am implementing a CIBA (Client-Initiated Backchannel Authentication) flow and have a question regarding the best way to handle scopes, specifically for a one-time device binding action.
Here is the current user flow:
-
Login: The user logs in using the authorization code flow with PKCE, as detailed in the Okta blog post on the topic (https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce). At this stage, an access and a refresh token are retrieved.
-
Device Binding: To bind a device, the okta.myAccount.appAuthenticator.manage scope is required. The goal is to avoid requesting this scope during the initial login for two main reasons:
-
It’s a one-time action, and it’s preferable not to have this permission in the access token for the entire session.
-
The aim is to avoid having this scope included in the refresh token.
To obtain the okta.myAccount.appAuthenticator.manage scope, the interaction_code flow is currently being used.
This results in the user having to provide their credentials and a second factor twice: once for the initial login and again for the device binding.
My questions are:
-
Is it possible to reuse the user’s initial login session to avoid challenging them for their credentials and a second factor again when the additional scope for device binding is needed?
-
Is there a more recommended approach for implementing a login followed by a device binding flow using the Okta API endpoints that would improve the user experience by reducing the number of authentication challenges?
I appreciate your help!