Currently, my requirement is that if I logged into my application using Sign-in widget successfully, then other application using same okta credentials should auto logged in without asking password. Based on the my implementation shared in the screenshots is working correctly but I am still CONFUSED how SESSION is working based on the code I have implemented: Is it due to Okta is handling and storing the identity tokens (AccessToken and IDToken) in the web browser and giving back AccessToken and ID Token after successfully authentication or my understanding is incorrect. Please help me with my query ?
The Okta session is managed by session cookies (idx for orgs using the Interaction Code flow and sid for orgs using /authn) set on the Okta domain. As long as users are routed to the Okta domain for login (for OIDC apps, that would be via the /authorize redirect and for SAML, that would be via the SSO URL).
If you look in your browser, do you see the idx cookie set for the *.okta domain?
Hello @andrea thank you for your response.
Now, I have observed that idx cookie is visible at the time of login. Thanks again.
Question: Once user logged in to the application, how I can verify that session is still active or user is authenticated while redirecting to another page? need your help with this specific to Dotnet code I have mentioned above.
You can use the Sessions endpoint to confirm the presence of this session (GET /api/v1/sessions/me), which can be completed as a CORS request (note that you might run into issues calling this from your application in a browser that blocks third party cookies). As this is a front-end only call, there is no .NET code I can provide you, but here is a sample Fetch request:
If you do run into third party cookies, you will need to redirect back to Okta to confirm the session exists (this is how you would complete SSO into a second application anyway). There’s not really a deliberate endpoint for this, only that SSO would work or, if the user access the Okta domain, they should be sent into the dashboard directly without being prompted to auth.
As I am new to this Sign Widget implementation.
Can you please help to answer below questions also.
1- In my code, I am checking if user is already authenticated or not after user logged in successfully by using below line code highlighted in red.
I am validating isAuthenticated because I want to know if this same user have already active from other okta domain application.
Can you please let me know, if I wanted to check if ValidateToken and isAuthenticated are the same thing to validate user is authenticated or at what situation we should user these 2 types?
2 - Also, I have experienced from my code that, even if AccessToken is expired but user is still remain Authenticated. How can i set the value of isAuthenticated to false once “AccessToken” is expired and clear the idx cookies from the browser using ASP.NET code ?
3 - In the suggested API “https://{{oktaDomain}}/api/v1/sessions/me”, the parameter {credentials: “include”} is static keyword or I should add my username and password ?
