I am trying to get an access token to make calls from Salesforce to my webapp using Okta as Idp. Based on the Salesforce logged in user, the access token has to be generated. For this, I will be using the Salesforce user’s email id or userid as the “sub” in the JWT. I will then use this token to call my Web App.
Unfortunately, I did not find an article to help me with the configuration.
Is it possible for me to get an access token from Okta without having the user to login again?
Can someone please point me to the documentation on this?
You cannot use Client Credentials grant type to receive user specific details, as only the client credentials themselves (Client ID and Client Secret) are needed to authenticate the request for tokens. For most user based OAuth use cases, Authorization Code Flow (w/ PKCE if your application does not have a backend to secure a secret) is the recommend grant type to use instead.
If the user already has an Okta session (and they are not required to complete additional authenticator verification in your application’s assigned Authentication Policy), then the /authorize request will succeed immediately and user can receive tokens without re-authenticating with Okta.
The Authorization code flow requires the user to sign in to okta, is there a way the Logged in user can get a token from Okta without having to sign in again?
For example, a user has signed in to Salesforce using Salesforce username and password. Now this logged in user requires an access token from Okta to make a request to a Web App. Is it possible to get an access token without human intervention?
Thats what I was alluding to: If the user already has an Okta session, they don’t need to sign in again. But if they are only logged into Salesforce directly (not through Okta), then they don’t have an Okta session and would need to authentication (not re-authenticate, as they have not authenticated against Okta yet).
Got it, I tried the setup without PKCE. It works with an active Okta session. Do you have any documentation around how to set this up with PKCE in Salesforce?
Specific to Salesforce, no. It should be as simple as executing an /authorize request (note that you will want to make a dynamic code_verifier/code_challenge pair for each request) and then taking the auth code you get back and send it back to Okta’s /token endpoint in a POST, along with the code verifier.
What did you manage to get working without PKCE? Just the /authorize request itself?
From this documentation Implement authorization by grant type | Okta Developer, the interaction code flow doesn’t require an active user session with Okta right? Is it possible for client to provide the interaction code to Okta with a user’s username to get a token without having the user to Sign In? If there are no remediation steps.
I need to get an access token from Okta for Guest user who doesn’t have to login to Okta at all.
Does Okta have Help And Training Community ?
I’m not sure I fully follow how Salesforce supports this use case based on that article, beyond that it uses client_secret_jwt client authentication, with the sub representing the target user. Which no, Okta does not support.
The closest thing I can think of is the On-Behalf-Of Token Exchange, but that would still require that there be a token issued to a user that could be exchanged for a token issued to a service app, so I don’t think that will help you for users who have not logged into Okta.