How Embedded Signin widget in Dotnet MVC store session - ASP.NET

Hello everyone,

I have integrated Embedded Sign-in widget in my ASP.NET MVC web application where I have used Identity engine.
Below is my sample code.

Currently, my requirement is that if I logged into my application using Sign-in widget successfully, then other application using same okta credentials should auto logged in without asking password. Based on the my implementation shared in the screenshots is working correctly but I am still CONFUSED how SESSION is working based on the code I have implemented: Is it due to Okta is handling and storing the identity tokens (AccessToken and IDToken) in the web browser and giving back AccessToken and ID Token after successfully authentication or my understanding is incorrect. Please help me with my query ?

Thank you

The Okta session is managed by session cookies (idx for orgs using the Interaction Code flow and sid for orgs using /authn) set on the Okta domain. As long as users are routed to the Okta domain for login (for OIDC apps, that would be via the /authorize redirect and for SAML, that would be via the SSO URL).

If you look in your browser, do you see the idx cookie set for the *.okta domain?

Hello @andrea thank you for your response.
Now, I have observed that idx cookie is visible at the time of login. Thanks again.

Question: Once user logged in to the application, how I can verify that session is still active or user is authenticated while redirecting to another page? need your help with this specific to Dotnet code I have mentioned above.

Thanks you.
Looking for your response.

You can use the Sessions endpoint to confirm the presence of this session (GET /api/v1/sessions/me), which can be completed as a CORS request (note that you might run into issues calling this from your application in a browser that blocks third party cookies). As this is a front-end only call, there is no .NET code I can provide you, but here is a sample Fetch request:

fetch('https://{{oktaDomain}}/api/v1/sessions/me', {credentials: "include"})
  .then((response) => {
    return response.json();
  .then((data) => {

If you do run into third party cookies, you will need to redirect back to Okta to confirm the session exists (this is how you would complete SSO into a second application anyway). There’s not really a deliberate endpoint for this, only that SSO would work or, if the user access the Okta domain, they should be sent into the dashboard directly without being prompted to auth.

Thank you for your kind support. @andrea.

As I am new to this Sign Widget implementation.
Can you please help to answer below questions also.
1- In my code, I am checking if user is already authenticated or not after user logged in successfully by using below line code highlighted in red.
I am validating isAuthenticated because I want to know if this same user have already active from other okta domain application.

However, I have found another option that is ValidateToken where we can validate AccessToken that contains user information.

Can you please let me know, if I wanted to check if ValidateToken and isAuthenticated are the same thing to validate user is authenticated or at what situation we should user these 2 types?

2 - Also, I have experienced from my code that, even if AccessToken is expired but user is still remain Authenticated. How can i set the value of isAuthenticated to false once “AccessToken” is expired and clear the idx cookies from the browser using ASP.NET code ?

3 - In the suggested API “https://{{oktaDomain}}/api/v1/sessions/me”, the parameter {credentials: “include”} is static keyword or I should add my username and password ?

Thank you. Looking for your help.

@andrea can you please help me the 3 queries posted ? Not able to find many code samples for the queries I have asked.

Thanks, Looking for your response.