Implicit Flow and Auth Code Flow SSO - Same Browser Session Question


#1

Hi,

The goal I am trying to achieve is if we open chrome and log into okta for an implicit flow application in one tab of the browser and another is open with a different application with okta auth js checking for session, I need to authorize again to get a CODE to authenticate using the auth code flow. The second application has a client_id that is set up for authorization code flow in okta admin.

So basically we have a SPA application(implicit flow required) and a separate web application(which should use auth code flow), I need to be able to authenticate using auth code flow for the web application as I need to manage it on the server side. I want to be able to share okta session(whether it was established by app 1 (SPA) or app 2 (web app) across tabs for either within the same browser session.

The first application(SPA) is using the widget. The second application is using code along the lines(this is the code that executes for the web site that would be SSO, getWithoutPrompt blows up on Response Mode):


> oktaSignIn.session.get(function (res) {
> 
>                 // If we get here, the user is already signed in.
> 
>                 if (res.status === 'ACTIVE') {
> 
>                   
> 
>                     document.writeln('You have an ACTIVE Okta session!')
> 
>                   
> 
>                     var authClient = new OktaAuth({
> 
>                         // Org URL
> 
>                         url: 'https://xxxxx.oktapreview.com',
> 
>                  
> 
>                         // OpenID Connect APP Client ID
> 
>                         clientId: '<BLANKED OUT>',
> 
>                         redirectUri: '////okta3.html',
> 
>                         authParams: {
> 
>                             responseMode: "query",
> 
>                             responseType: "code"
> 
>                         }
> 
>                     });
> 
>                     authClient.token.getWithoutPrompt({
> 
>                         responseMode: "query",
> 
>                         responseType: "code"
> 
>                     })
> 
>                         .then(function (tokenOrTokens) {
> 
>                             // manage token or tokens
> 
>                             var gigi = tokenOrTokens;
> 
>                             window.location.hash = "";
> 
>                         })
> 
>                         .catch(function (err) {
> 
>                             // handle OAuthError
> 
>                             var myErr = err;
> 
>                             window.location.hash = "";
> 
>                         });
> 
>                     return;
> 
>                 }
> 
>  
> 
>                 // If we get here, the user is not logged in, so we should show the sign-in form.
> 
>                 oktaSignIn.renderEl(
> 
>                   { el: '#sign-in-container' },
> 
>                   function success(res) { },
> 
>                   function error(err) {
> 
>                       console.error(err);
> 
>                   }
> 
>                 );
> 
>             });

Please assist here in how to solve this, the team I am working with is under the assumption that the SPA should not use anything but implicit flow but they still want the web application to use same browser session but use authorization code flow for that application.

Any help would be appreciated,

Ron