Custom sign in flow + refreshing tokens


I’m in the process of integrating Okta into my app.
I’m using a custom UI for signing and I have a few logistic questions:

  1. What is the difference between authentication and signing in? What tokens do I have after authenticating but prior to signing-in? Is there a reason for me to authenticate and not sign in? If I my current sessionClient is authenticated is there a need to sign in?

  2. When is the right time to manually refresh the access token if it expires? before authentication? after authentication but before sign-in? after sign-in?

Huge thanks to all helpers!

Not quite sure I fully understand your definitions, or which terms you are referring to as authentication and sing-in.

I’d say they are almost synonymous to me. You can authenticate to Okta with the help of auth api (or any SDK), to get an okta session token. At this moment you are not signed-in into any application yet. And then you can use that token to exchange it for an access_token while doing sign-in into an application with oauth/oidc api.

As for the second question, you need to refresh your access_token when it’s expired. A way of refreshing depends. But if you are not authenticated to Okta, then you can only refresh with the help of refresh_token

I think I got it :slight_smile: