I’m integrating the Okta to our backend service(Java), front-end is an angular.js app. And we prefer the more secure solution: Authorization Code Flow with PKCE instead of the Implicit Code Flow. But here’s a problem. We still prefer the user could click the app icon in Okta dashboard to initiate the login.
But it looks like Okta doesn’t support initiate login via Okta when only using the Authorization Code Flow option. When I select Login initiated by Either Okata or App. It shows:
Okta can only initiate the login for Web and SPA apps with the “implicit” grant type.
I also have noticed I can enable implicit grant and using the Authorization Code Flow with PKCE
While we look into expanding this to allow “Login initiated by Okta” to work for other flows, we currently recommend you create a bookmark application that points to your application, as discussed here: https://support.okta.com/help/s/article/OIDC-app-not-on-dashboard
As long as the page you redirect users to in your application has logic configured to detect an existing Okta session and make an authorize request automatically, end users will be SSO’d in without needing to re-authenticate.
Hi, could you confirm how we could handle logic to detect Okta session and make authorize request if app is set with Authorization Code Flow ? Check /api/v1/sessions/me endpoint and according to result request /autorize endpoint or redirect to login page ?. Thx.
Yup, you could definitely do it that way. I will warn that with more and more browsers blocking access to third party cookies for end-user privacy/security reasons, checking for the session via a CORS call to /sessions/me may not work (Safari 13 comes to mind).
If third party cookies are not an issue (either because they’re not blocked or you have hosted your application on the same domain as your Okta org, per the recommendation in the guide above), you can make an authorize call with prompt=none to get tokens for the user without prompting them to authenticate. This is how our AuthJS SDK’s getWithoutPrompt method works to prevent the redirect and instead request tokens in an iframe (which is why it has the third party cookies limitation). YMM based on your Org/App’s Sign On Polices and MFA configuration, as the user may still need to verify a factor.
Another option is to just try and do the authorize redirect to Okta without checking if they already/still have an active session. If they do, they will be sent back to the application (via its redirect_uri) without needing to re-authenticate (same note as above regarding your Sign On Policies), and if they don’t they can login on the Okta hosted login page and then best sent back to the application.