We want to use Okta as an IdP for Google SSO due to certain constraints. Our goal is to allow users to log in with Google SSO, but we want the request to hit the Okta authorization server, which uses Google as an IdP, and then return the Google token to the client.
We have successfully set up social login so that users can log in with Google SSO to the Okta auth server (Social Login | Okta Developer), but the tokens returned are Okta tokens, not Google tokens. We explored two approaches but were unsuccessful with both:
Including Google token as custom claims in Okta tokens: We looked into Oktaâs Expression Language (Okta Expression Language overview guide | Okta Developer), but couldnât find a way to include Google tokens as custom claims.
Using the Okta IdPs API: We tried to use the Okta IdPs API (Identity Providers | Okta Developer) to retrieve the token from the social provider, but received a 400 Bad Request exception. We assume this might be due to missing required scopes (possibly âokta.idps.readâ), but we couldnât find a way to include this scope in the access token returned by the Okta auth server.
We would greatly appreciate any assistance to make either of these approaches work, or suggestions for alternative methods to achieve our goal. Thanks in advance!
You would need an Admin API token to use the /api/v1/idps/${idpId}/users/${userId}/credentials/tokens endpoint, which non-admin endusers would not have permissions to access.
If you absolutely need the token that was issued by Google, that endpoint is the only way to do so.
If you just need your application to receive information from the userâs Google profile, you can instead map those values into the Okta User Profile and then into the token claims so your application can access it.
Thanks for the reply! We tried logging in with the user account that has the super administrator role, but we are still getting the error from the API call. Do we need a specific scope inside the access token to hit this endpoint, or will the access token of the admin user work?
As long as your application is requesting tokens from the Org Authorization Server (i.e. using the endpoints /oauth2/v1/authorize and/or /oauth2/v1/token), then, yes, you need to make sure you are requesting the appropriate scope (which should be okta.idps.read, see our newer API docs for this endpoint here) and that this scope is enabled in the âOkta API Scopesâ tab for the OIDC application you created in Okta and are using to request tokens.
A Super Admin user should absolutely be able to make this request, but let me know if you run into any issues. Also, more information about using OAuth tokens against Oktaâs APIs can also be found in our guide here.
I think using the API token could work, but in our specific case, it wouldnât be the best approach because we want to make all requests from the client side (we donât want to store the API token in the SPA application). What we did was:
The user goes through the OAuth flow, logs in to Okta, and receives the Okta auth.
With this auth, I want to swap it for the Google auth by hitting the API endpoint mentioned above. However, even though the user is a superadmin and I granted the okta.idps.read scope in the Okta Application, we get a bad request error.
So, I guess the main question is, is it possible to use the access token that was returned from the login flow (not the API token) to hit the specified endpoint to get the IDP auth?