When a new user enters their email address in to our application using the Okta Signin Widget, an email is sent to the user using the Email Challenge template. According to the documentation the email challenge template exposes three variables:
${verificationToken}: The one-time passcode that Identity Engine generated for the ${request.relayState}: The OIDC/OAuth2 state parameter for the current authorization request
${emailAuthenticationLink}: The Okta-hosted URL that continues the password recovery flow
The email authentication link includes a token:
https://{okta-domain}/email/verify/{some_id}?token={token}
It is important to note here that the verificationToken is not equal to the token in the auth link. The verification token is used to directly enter the code in to the widget:
Can’t use the link? Enter a code instead: ${verificationToken}
What we want to do is build an emailAuthenticationLink that points to our domain where we host the signin widget so the user can click on the link to get to our app and is prompted to enroll in required authenticators. We need guidance on how to do this? Currently in our template we have simply removed the link, but we have requirements to use both the link and the code.
In addition, once we link the user to our signin widget, how can we bootstrap the signin widget to use the token query param so that the user is automatically prompted to enroll authenticators? We have done something similar with our activation email flow, but recently we have seen strange regressions with that flow (see Interact endpoint returning "The activation token is invalid" with widget integration).