Custom welcome page (/user/welcome)

Hello Okta team,

Our goal is to rebuild Okta’s /user/welcome page that is accessed after a user clicks the link from the user activation email. I have read this topic multiple times but I still can’t understand how to securely append password and security question+answer to the existing user. Ie. let the user finalize his registration.

That’s what we have so far:

1. Email template has been updated to point to a custom activation page - ie. domain.com/auth/activate/${activationToken}
2. From this page, using okta-auth-js lib we’re validating the token using signInWithCredentials({ token })
3. The previous call returns a new PASSWORD_RESET transaction that is used to setup the user’s password. After setting this up and by using the returned sessionToken we can obtain an access token and log the user in.

The issue is that the user haven’t setup his security question/answer and he is not able, if needed to, initiate the password reset flow - “At this time your password can only be reset by an administrator.”

My question is: How can we enable our users to setup both their password and security question (and activate them I guess) just like you do on the Okta hosted welcome page?

I can see a POST call to /user/welcome/login/internal but it is unclear to me how this endpoint works and what it does in order to finalize the registration.

Thank you in advance!
Nikola @ SIMON Markets LLC

This end-user activation page is un-customizable and only exists as an Okta hosted page.

Thank you for you reply.
I understand that it cannot be customized and that is why we are looking for details on how it is implemented so that we can rebuild it on our side.

Alright here is the final solution confirmed by an Okta Developer Support Engineer.
Unfortunately it involves creating a custom endpoint (with an API token to talk to Okta) that will change user’s recovery question:

• Create your user as you currently are. The activation email will redirect to you app server providing the activation token.
• Your app server will call Primary authentication with an activation token
  • https://developer.okta.com/docs/reference/api/authn/#request-example-for-activation-token
  • this will return PASSWORD_RESET.
• Your app will collect a password from a user (and recovery question/answer) and call reset password
  • https://developer.okta.com/docs/reference/api/authn/#reset-password
    • this will either return SUCCESS if MFA is not required or MFA_ENROLL
      • if MFA_ENROLL is returned you will need to go through the MFA_ENROLL calls until you get status SUCCESS
    • Once a user is status SUCCESS there will also be a SESSION_TOKEN returned that should be saved.
• Your app will then take the password/recovery question the user entered prior an call change recovery question
  • https://developer.okta.com/docs/reference/api/users/#change-recovery-question
• Your app will then use the SESSION_TOKEN returned before and either use it to /authorize into an OIDC application (assuming the users login to an OIDC application)
  • https://developer.okta.com/docs/reference/api/oidc/#authorize
    
  • or you could use the sessions API to have the users browser redirect to one of the endpoints to set the Okta session including using an embedded link of a SAML application if that is the requirement.
    • https://developer.okta.com/docs/reference/api/sessions/#session-token

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.