Custom Login for OIDC applications

chidananda · October 18, 2018, 3:32am

In the Okta SAML apps, there is a feature where Okta can redirect the user to a custom login page to perform the authentication. This feature is not available today for OIDC apps. Is there any way in Okta that can help to achieve this for OIDC apps. The use case is, the enterprise has 100+ OIDC apps and there is one application that has the custom login screen that uses Okta API to authenticate the user. The requirement is to use this single custom login application for all the 100+ OIDC apps. By default these 100+ OIDC apps will use Okta’s native login; we don’t want to use native login, but need to use an existing on-prem login portal for Sign In.

micah.silverman · October 18, 2018, 11:52am

This can be accomplished by exchanging an Okta session token for OIDC tokens. The SignIn Widget and Okta Auth JS library have this functionality built in. For instance, using the Auth JS Library looks something like this:

OKTA_AUTH_JS.signIn({
   username: login,
   password: password
 })
 .then(function (transaction) {
   if (transaction.status === 'SUCCESS') {
     OKTA_AUTH_JS.token.getWithoutPrompt({
       responseType: TOKENS,
       scopes: SCOPES,
       sessionToken: transaction.sessionToken
     })
     .then(function (tokenArray) {
       OKTA_AUTH_JS.tokenManager.add('access_token', tokenArray[0]);
       OKTA_AUTH_JS.tokenManager.add('id_token', tokenArray[1]);
       ...
     })
     .catch(function (err) {
       ...
     });
   } else {
     alert('We cannot handle the ' + transaction.status + ' status');
   }
 })
 .catch(function (err) {
   ...
 });

The OKTA_AUTH_JS.signIn function is doing the primary authentication and then the OKTA_AUTH_JS.token.getWithoutPrompt function is using the sessionToken from the authentication transaction along with responseType and scopes to get a set of OIDC tokens.

This can all be done directly with the API as documented here: https://developer.okta.com/docs/api/resources/oidc#request-parameters

chidananda · October 18, 2018, 4:50pm

Thank you for the response. yes, this will work for specific apps. However, this is not feasible for larger enterprises where were have thousands of legacy apps running in different frameworks written 10-15 years ago.

We don’t want each application to write their auth JS widget. We want to use a common central login for all 100+ applications. We already have a login app that uses Okta API. We want all other applications to utilize this login app for the user login.