How to get ID Token fom active Okta session

Hi i want to check if there is active okta session existing. For that i’m calling the /api/v1/sessions/me ednpoint { withCredentials: true } to include the session cookie. So if i get back response 200 then i know that okta session is still active, if 404 then not.

How can i automatically login user when i detect an active okta session?

I tried to call /authorization?client_id={client.id}&…&session_token={sessionToken} but i dont have session_token, i know i can get it from /api/v1/authn when authenticating a user with username and password. But i dont have those either since i want to automatically login user if his okta session is active without any input.

So my question is how can i get an id_token from active okta session (no other data is provided)?
I have seen that okta widget is doing it somehow so it should be possible. Ideal scenario would be an endpoint something like /authorization with relay_state and session cookie included so i could handle the id_token in the same way as after normal login.

I have tried may different combinations from okta documatation with no luck and now i’m out of ideas. Strange enough if i let user A login with username/password (it will call authn and then authorization endpoint) and then in another tab (okta session is still active from user A) if i want to login with user B, call with his username/password to authn endpoint will be successful but the data returned by authorization endpoint will be from already loggedin user A. So i guess there must be a way to login user automatically without username/password input.

Thank you for your help.

Hi @gregor

If you see that the user’s session is active in Okta using /api/v1/sessions/me endpoint, then you can simply redirect the user to /authorize endpoint on Okta, using a url like the following

https://org.okta.com/oauth2/v1/authorize?response_type=id_token&client_id=0oa2fatx70JGiU2TA2p7&redirect_uri=https://your.app.com/callback&state=authn&scope=openid&nonce=abcd

1 Like

Hi @dragos i swear that i tried that and it didn’t work before. Thank you, now it works as expected.

Good afternoon.

I’m trying to do the same process, but for me still not working doing the steps above.

This is how my widget code looks like now:

The session detection works, but when I redirect to the url, I get 404 from my endpoint “/authorization-code/callback”, but this endpoint works when I do the login via widget. Also the HttpContext.User.Identity.IsAuthenticated returns false.

I guess is something with “state” parameter of this url, I read that and seems to be required, but idk how to format that string in the right way or even if the way that I’m doing is the right (maybe the detection can be done in some place of OpenId inside of my asp.net mvc code, idk).

If I login in my widget, when I open another tab and I hit my okta domain, that recognizes the current session and I don’t need to re-enter my credentials. This is the same behavior that I want to reach when someone opens a new tab and hit my system, I want to recognize the current session and allow to use the system.

In the end, the HttpContext.User.Identity.IsAuthenticated must be true and be able to get claims from HttpContext.GetOwinContext().Authentication.User.Claims.

Thanks.

Good morning guys.

So, I did many tests here and I found a way to make it work.

Thanks.