I am working on creating a custom login. The custom login will be on it’s own domain and the applications that it will be ‘signing’ into will be on another domain potentially. For example the login app will be at ‘login.mydomain.com’ and the main application will be at ‘app1.mydomain.com’
Both the login and the actual application are in react. I’ve generally got this setup, but I am having an issue. In the JS sdk when you call ‘authClient.token.getWithRedirect’ after after signing in the user, the sdk is setting some cookies that it is looking for when the user is redirected back to the app. The issue is, is that the cookies are set on the login domain and are not available on the app domain. And there is no way to potentially alter it.
see: https://github.com/okta/okta-auth-js/blob/master/lib/token.js#L497
- What is the purpose of the redirect cookie? And what security does it offer?
- Should the cookie be able to be set for a domain such as ‘.mydomain.com’ then the cookie would be able to be read from all subdomains? Or does that pose another security type issue?
I thought the purpose of the whole implicit flow was to get the acces_tokens. Anyone have any ideas on this? I have not had much luck with making this work given the current implementation.