[iOS SDK] [PKCE] How to set authentication state from accessToken and refreshToken

I’m using the OktaOidc (v3.10.2) and OktaAuthNative (v2.4.2) SDKs on iOS to login a user through an SSO flow (PKCE). Our SSO process has the backend performing the authentication and providing the final accessToken and refreshToken for the clients to use.

The only two APIs available for us on the iOS SDK seems to be OktaAuthSdk.authenticate(with: url, username: username, password: password) and OktaOidc().authenticate(withSessionToken: token). However, our backend system calls /v1/authorize and /v1/token on our behalf and provide the native app the refresh and access tokens they should use going forward. Is there a way to set these in the SDK directly or a way to create an OktaOidcStateManager from just this information?



Hi Anthony,
Once the native App receives the tokens from the backend system, assuming these could be set in the StateManager, at that point would the native application be responsible for refreshing the tokens, or did you want the backend system to continue this?

If the native app will handle it’s own token refreshing via the Okta SDK why not use OktaOidc().authenticate(withSessionToken: token) from the start? This will properly initialize the AuthState and OktaOidcStateManager. The AuthN could still take place on the backend, and the session token could then be passed to the native app to the the AuthZ.

I don’t see a documented way to initialize OktaOidcStateManager with tokens. At first glance it appears the only way is with an AuthState, and AuthState appears too init with either a OKTAuthorizationResponse or OKTRegistrationResponse.

We only need to do this once, and then we would like the Okta SDK (OktaOidcStateManager) to handle it as it would normally if the person logged in with the Okta.

Caveat: I’m not an expert on SSO or IDP.

Our current flow is that from our SSO (third-party platform) sends the request to the /v1/authorize endpoint with idp, client_id, response_type=code, scope=offline_access+openid+email+profile , response_mode=query (and others) including a redirect_uri which points to our backend. This redirect_uri (which is now our backend) receives a code, which in turn, internally calls /v1/token with the data (including our secrets in the header) to fetch accessToken and refreshToken. These are then passed back to the app through a scheme callback (similar to how Universal Links on apps work). The app is launched with this unique deep-link, we extract the tokens and would like to create an OktaOidcStateManager with them (or use the refreshToken, to fetch new credentials if needed and revoke the old accessToken).

The /v1/authorize endpoint does not return a sessionToken for us to use with .authenticate(withSessionToken) in the SDK. Maybe you are recommending a different flow that I’m unfamiliar with?


Unfortunately I do not believe this is possible with the current SDK without making modifications. The SDK is open source so you are free to do that.

You can add a feature request to okta-oidc-ios to show interest.