Hi. I am new to Okta. Trying create Session Cookie . To achieve this following flow
Created SessionToken using API
Trying to get session cookie
I am able to create sessionToken using API. used “https://trial-7903122.okta.com/api/v1/authn”
After received sessiontkoen I am trying get session cookie for that routing following url to browser
After routing above url through browser I am expecting Sid cookie to set in browser(as per documentation here Documentation ). But It returns url with Token_id no cookie set in browser. I have spent many hours to resolve but No luck. Please let me know if I am missing anything .
The cookie will be set on the Okta domain, not your application. If you open Okta in another tab in the same browser, are you getting prompted to login or does it recognise you are already logged in (due to the Okta session cookie, sid being set on the Okta domain)?
Hi @Andra. Thanks for your response. Initially, I have generated Sessiontkoen using API. With routing url as I set prompt=none and sending sessiontoken as query string It’s not asking me to login. As per documentation here Get session cookie using session token It should set Sid cookie to return url. Please correct me if I am wrong. If cookie set on okta domain please suggest me how to bring to my application for SSO purpose . Thanks
Thats correct, sending the sessionToken to the /authorize endpoint will result in the ``sid` cookie being set on the Okta domain, so that the Okta session is established there. Your OIDC app should be managing its own session, but based on the OIDC tokens that were issued to the app/user not the mere existence of the Okta session (as the Okta session is universal, while the tokens can only be issued to a user actually assigned the application in question).
For example, in our front-end SDKs, we store the tokens returned to the application from Okta within local storage and use them to ensure the user has active and valid tokens for this application.
Hi @andrea . Thank so much for detail explanation. I understand most of knowledge you shared. Please help in clearing with one more doubt.
From your lines “For example, in our front-end SDKs, we store the tokens returned to the application from Okta within local storage and use them to ensure the user has active and valid tokens for this application.”
Are those tokens are like as followingl id_token in url https://returnurldomain?id_token=S4sx3uixdsalasd&state=Af0ifjslDkj&nonce=n-0S6_WzA2Mj
Yup, the ID token and/or Access token, depending on what OAuth flow is being used (which means they could be returned directly to the redirect_uri like in your example OR via a /token request made by the app)