Does OKTA SignIn Widget work with API Services (App Integration)

Is it possible to configure OKTA SignIn Widget to communicate with OKTA API Services?
My impression is no, but the cybersecurity team at my work is recommending the pairing between the 2 above, but through some research on my end, it doesn’t seem possible. Can you please confirm, any information would be greatly appreciated. Thank you!

I don’t think I understand your question. What are you looking to do? What actions would the users who sign in via the widget be performing (SSO, API calls, etc)?

SSO Authentication…

I’m trying to use the SignIn Widget to make calls to API Services. At least this is what the cybersecurity department at my company wants me to do.

I implemented the widget using the non-oidc approach, which i got working. But since it uses CORS, which they want me to avoid, they’ve asked me to use API Services which bypasses CORS…

However this is not possible with the OKTA Sign in Widget right? If I were to go with the API service calls, for authenticating a user, I would have to basically implement my own authentication workflow

If I understand correctly, the self-hosted widget will make API requests to the Authentication endpoint but it will be cross-origin (CORS). In a non-oidc setup, I believe you’re just using the widget to validate the credentials and then redirect the user to the proper page?

If you want to avoid CORS, then you will need either need to redirect to the Okta-hosted widget or setup a custom login page where you need to make API requests to the Authentication endpoint from your backend.

Hi Warren,

That’s correct. The non-oidc implementation just validates user credentials and then redirects the user to the same page, but with a session token. When the page reloads on redirect, and verifies that a session token exists, the login page is removed, and the hidden form is displayed.

The app is developed in mvc5 using 4.6. It’s basically a single page application that just reloads the page and checks whether a session token exists (on initial validation, it stores the session cookie in the browser).

Your recommendations:

  1. You will need to redirect to the OKTA-hosted widget. Would this be a good example of this and also help me avoid CORS: samples-aspnet/okta-hosted-login at master · okta/samples-aspnet · GitHub

  2. Or setup a custom login page where you need to make api request to the authentication endpoint from your backend. Would you happen to have any examples/documentations on this one.

Thank you in advance.

I can answer that:

  1. yup, that sample will redirect the user to Okta to login, which will result in the user getting sent back to the application if they already have a valid session cookie in their browser
  2. we also have a sample for this, samples-aspnet/self-hosted-login at master · okta/samples-aspnet · GitHub, which uses our .NET Auth SDK to make the manual API calls to the authentication endpoint to login the user.