When using the okta widget I noticed that it creates cookies (okta-oauth-redirect-params, okta-oauth-nonce and okta-oauth-state). I’ve looked all over GitHub - okta/okta-signin-widget: Okta SignIn widget that renders the new login/auth/recovery flows for configuration options on this but I can’t find them. Does anyone know how to suppress these cookies? Our auth flow does not need them and our customers are critical of any cookies created in our application. Thanks!
The SDK creates these cookies for you so that the OAuth flow can be handled (especially for PKCE auth, which uses the redirect-params cookie) and so that the nonce can be validated on the front end. As such, I’m not sure why you would want to disable the creation of these cookies.
Are you using implicit flow? Would you prefer these be stored somewhere else instead of as cookies (such as in local storage)?
Hi Andrea,
Thanks for your help. Maybe we’re not using the login widget to it’s fullest potential but we use the auth code flow so after a user submits credentials and they get redirected to okta, they get redirected back to our /auth/callback endpoint with a code and state query param. Our backend then does the validation of the state and hits the token endpoint with the code. We keep the nonce we specified in the widget in our backend so there’s no need for us to have or use the okta cookies at all.
Given how cookies are not super secure, it would be surprising that we couldn’t disable them somehow.
Kirk
hm… which version of our Widget are you currently using? I checked and it looks like the use of these cookies was removed in AuthJS v7.0.0, see PR for reference.
If you are using the recently released Widget v7.0.0 (which has AuthJS 7.0 as a dependency), you should see this change in behavior.
Ah ok. Did not realize there was a new release. I’ll give that a go. Is there a migration guide from 6.8 to 7.0? I’m guessing there are some breaking changes but i don’t see any specifics.
Ah yeah, switching to the 7.0 widget doesn’t seem to create the cookies anymore. Thank you!
1 Like
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.