Do we need a session token? If so, how do we get it?

Posted on behalf of a client I’m working with:

We have some questions about the user authentication using API calls.

OKTA has the concept of trusted application and public application when it comes to the authentication.
https://developer.okta.com/docs/reference/api/authn/#public-application

The trusted application calls the Authentication API using API token and the public application starts the authentication anonymously.

My interpretation of this statement was that Trusted application would always call OKTA using API token during the authentication.

However when we started testing the authentication API, we discovered that if MFA is needed then the trusted app will receive a state token.

This is very similar to the Public application which also receives a state token.
API calls with state token don’t require an API token.
So if state token is used then the back-end server would behave as a browser and the added security of the API token would not be there.

We had a bit of a conversation to see if we could continue with API calls using API token - e.g. use /users/…/factors API calls (with API token) instead of the /auth API calls (with state token) to perform MFA.
The problem with this is that it looks like we cannot get a session token at the end of series of /factors API calls.
We need the session token to start an IDP initiated SAML flow.

Of course we can obtain a session token after the MFA if we go through the flow with state token only (and no API token).

Is that indeed the case - only the first authentication call from a back-end server would use an API token and then the back-end server would become like a browser and rely only on state token (and not on API token) during the MFA until the session token is issued?

Or maybe there is a way (that we don’t know about) to use the /factors API to perform MFA and obtain a session token somehow at the end?

Or maybe there is a way (that we don’t know about) to start the IDP initiated flow for a user without using a session token?

Do you need to establish an Okta session in the browser? If yes, then you will need to obtain a session token using the Authentication API.
https://developer.okta.com/docs/reference/api/sessions/#session-token

If you have a custom app where you just want to verify the user’s credentials and handle MFA, then you may not need a session token if you do not want to establish an Okta session.

Also, you don’t have to pass an API token in the /authn request unless you want to specify your own deviceToken.