Create Okta SSO session in angular based on ID token received from external app using okta auth js library

We are building Angular 5 SPA and using Okta OIDC for user authentication. The angular app will be called from an external app like Salesforce within the enterprise. The user from external app will already be authenticated in Okta and the ID token will be passed from the external app.

In angular we should not display the sign in page to user, instead we have to validate the ID token received with Okta for authenticity and establish Okta SSO session. We were originally using getWithRedirect method where we pass the userid/pwd and get the Id token in Angular and add it to tokenManager within the webstorage

 login() {
      this.oktaAuth.token.getWithRedirect({ 
      responseType: ['id_token', 'token'],
      scopes: ['openid', 'email', 'profile']
    });
  }

  async handleAuthentication() {
    const tokens = await this.oktaAuth.token.parseFromUrl();
    tokens.forEach(token => {
      if (token.idToken) {
        this.oktaAuth.tokenManager.add('idToken', token);
      }
      if (token.accessToken) {
        this.oktaAuth.tokenManager.add('accessToken', token);
      }
    });
  }

Please advice how can we validate the ID token received from external app and use the same token for validating the user instead of asking the user to login again

Instead of get with redirect, you can attempt to get without prompt:

This will attempt to get tokens if a session exists in Okta.

Hi Tom,

I tried with the getWithRedirect or getWithoutPrompt option, it works fine when the SSO session exists in Okta. When the SSO session expires and the angular app attempts to get new tokens, we are getting login_required error - The client specified not to prompt, but the user is not logged in.

Is there any option to get new tokens without login prompt irrespective of Okta session exists or expired

You need to have an active session with Okta to be able to get new tokens (without a refresh token). Refresh tokens are not recommended for SPAs because of security, the silent refresh (getWithoutPrompt) is more secure, but requires you have an active session with the IdP (okta). You can increase the session timeout in okta (Okta Sign-on policy) if necessary.

In the event that you do not have an active session with okta, how do you handle that gracefully in an angular application? I’m using the okta-angular library, and I’m not sure how to handle/capture expired session.