Hi,
Was wondering if there is a way to add the user’s current session ID to an access token as a claim.
Thanks,
Kim
Take a look at the following thread that details a way to do this with Token Inline Hooks (a Custom Authorization Server is required for this option): Validate access token is linked to Okta session - #2 by andrea
Note that the session id is only available in the payload sent to the Inline Hook during a new OAuth flow. It will NOT be present if a refresh token is used to get new tokens for the user.
Hi Andrea,
Unfortunately we are also looking for this functionality for access tokens retrieved by refresh tokens as well. Is there no way for those to be augmented with a session ID?
Since refresh tokens are used for offline_access, they are not dependent on the existence of an Okta session (the Okta session does not need to be valid for the user to remain logged in) and the user’s session ID is no longer associated with the token request
1 Like
Hi! I noticed that the third section of the jti claim seems to be stable for a refresh token. It looks like it changes every time I generate a new refresh token, and is the same for all access_tokens that comes from the same refresh token. (Refresh token rotation is turned off)
Could you please confirm or deny this observation?
Background: I would like to implement a feature where a specific action (binding a device) can only be done once after a full login (username + password + mfa). Using the full jti for this purpose is not sufficient, as it changes every time it is renewed by the refresh token.
Okta Classic, OIDC flow
I also noticed that there is a device_id field when I introspect the refresh_token, that also seems to behave just like I envisioned. I do not use the Devices API, so I was quite surprised. I also did not find any documentation about this. @andrea do you think application logic could rely on these values?
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.