Don't show okta login inside iframe (Single session accross parent and child)


My company uses Okta with SSO. I’m trying to embed a okta protected server-side web app (App B) inside of an okta protected SPA (App A). I don’t want App B to ever redirect to the okta sign-in page. That would be a confusing experience for the user having to login twice. I want to be able to share a single session from App A to App B.

Is there any documentation on a use case like this? Is there an API that App B could call to validate that the user is already logged in without having redirecting them to the sign-in page?

I forgot to mention that App B is configured as a seperate Application in Okta. It has its own client id, its own assignments. App B actually needs to generate its own access token.

I came up with a solution that should work. I figured I could use the Token Exchange endpoint that Okta authorization servers provide.

Before App A renders the iframe, it calls a custom endpoint in App B (POST /authenticate). App A sends there access_token in this post request via headers or body. App B calls the token exchange endpoint with the access token and exchanges it for its own. The POST response will then respond with its normal Set-Cookie headers containing the session id. App A will then render the iframe. The cookies will be sent in the iframe document request and App B should see that the user has a session and will let them in, bypassing any login screens as it normally would when the correct cookies are there.

This doesnt work. I get a 403 Forbidden response when attempting to exchange the token. When I look at the system logs in my okta admin, I see this error:

FAILURE: unsupported_token_exchange_flow

I suppose Okta doesnt support a SPA application and a Web Application attempting to do a token exchange? This should work in theory though?