Create Okta SSO session in angular based on ID token received from external app using okta auth js library

alicehelen84 · February 26, 2018, 7:31pm

We are building Angular 5 SPA and using Okta OIDC for user authentication. The angular app will be called from an external app like Salesforce within the enterprise. The user from external app will already be authenticated in Okta and the ID token will be passed from the external app.

In angular we should not display the sign in page to user, instead we have to validate the ID token received with Okta for authenticity and establish Okta SSO session. We were originally using getWithRedirect method where we pass the userid/pwd and get the Id token in Angular and add it to tokenManager within the webstorage

 login() {
      this.oktaAuth.token.getWithRedirect({ 
      responseType: ['id_token', 'token'],
      scopes: ['openid', 'email', 'profile']
    });
  }

  async handleAuthentication() {
    const tokens = await this.oktaAuth.token.parseFromUrl();
    tokens.forEach(token => {
      if (token.idToken) {
        this.oktaAuth.tokenManager.add('idToken', token);
      }
      if (token.accessToken) {
        this.oktaAuth.tokenManager.add('accessToken', token);
      }
    });
  }

Please advice how can we validate the ID token received from external app and use the same token for validating the user instead of asking the user to login again

tom · March 3, 2018, 6:36pm

Instead of get with redirect, you can attempt to get without prompt:

This will attempt to get tokens if a session exists in Okta.

alicehelen84 · June 20, 2018, 7:14pm

Hi Tom,

I tried with the getWithRedirect or getWithoutPrompt option, it works fine when the SSO session exists in Okta. When the SSO session expires and the angular app attempts to get new tokens, we are getting login_required error - The client specified not to prompt, but the user is not logged in.

Is there any option to get new tokens without login prompt irrespective of Okta session exists or expired

tom · June 21, 2018, 9:56pm

You need to have an active session with Okta to be able to get new tokens (without a refresh token). Refresh tokens are not recommended for SPAs because of security, the silent refresh (getWithoutPrompt) is more secure, but requires you have an active session with the IdP (okta). You can increase the session timeout in okta (Okta Sign-on policy) if necessary.

jakehockey10 · September 7, 2018, 1:18am

In the event that you do not have an active session with okta, how do you handle that gracefully in an angular application? I’m using the okta-angular library, and I’m not sure how to handle/capture expired session.

system · January 12, 2024, 11:32pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Asp.net and angular OAuth/OIDC dotnet , angular	6	1000	May 22, 2024
SSO OIDC - hold OKTA token angular app OAuth/OIDC	1	1359	November 27, 2023
OKTA SSO login through Angular SPA application OAuth/OIDC	5	2535	February 13, 2024
OIDC SSO authentication token storage for Angular SPA application OAuth/OIDC	3	7017	February 12, 2018
Setup SSO with OKTA for my angular 6 app Questions	2	3918	January 23, 2024

Create Okta SSO session in angular based on ID token received from external app using okta auth js library

Related topics