Fetching a session token from the AccessToken or IdToken

I am attempting to use the “sample-golang” repository “okta-hosted-login” here (https://github.com/okta/samples-golang/tree/master/okta-hosted-login) method to gain a sid. In order to gain this sid from the “https://domain.okta.com/login/sessionCookieRedirect?${sessionToken}” endpoint, I first need the sessionToken. I was wondering if it was possible to fetch this session token from the response gained from the okta-hosted-login example. This example returns a “code” via the okta authorization endpoint, which is then used to gain the accessToken and idToken. Can any of these values be used to obtain a session token to retrieve a sid?

The sid is being used inside of a golang cli appliction, and the “okta-hosted-login” is being used as a method to do webauthn authentication for the cli application.

The only way to get a sessionToken is to complete the primary authentication process with the /authn endpoint. The sessionToken is different from the authorization code being returned, as that is related to completing Authorization Code flow.

In fact, you are only able to get this authorization code in the first place if the user was able to complete primary authentication (either when logging into your application directly, or with a previously existing Okta session). Since you’re using the okta-hosted-login version, the primary authentication flow and the generation of the Okta session cookie is all being handled by the Okta hosted login page, your application doesn’t need to interface with a sessionToken itself. If you check in your browser, you should see some cookies set on your Org’s Okta domain during login, including the Okta session cookie (sid or idx, depending on if you are using an Okta Classic or Okta Identity Engine org, respectively).

Why do you think you need a sessionToken for your use case?

Thanks for the response,

Its abit of a strange case. I am attempting to add webauthn factor auth to a cli app, this app does other other factors (push, sms, token) just fine and these are handled via the okta auth api. This then fetches the sid from the sessionToken which is used by the app to know when the user is already logged in. The issue I am facing is you are not able to do okta webauthn authentication in the cli alone which is why I am attempting to use golang-sample app as a work around.

A new approach may be required, thank alot for your help!

Another question, is there any method that’s possible to access the idx token that is created with the authentication without having to manually access it from the browser’s cookies?

Apologies if these questions are silly.

Not silly at all, there’s a lot of complexity and different use cases that can make it tricky to find a good solution.

WebAuthn is a bit trickier than the other factor types (as evidenced by our API docs on how to do manually activate or challenge/verify, which requires some JS to get working). Not sure if it would be possible to do this in a CLI…

And not really? The idx cookie will be returned in the response headers from Okta. I don’t know of any other way to retrieve it.

1 Like