Previously we were able to get session-token using user’s email and password, and then set session cookie using it for SSO. Now that we switched to use Okta sign-in widget on our mobile app, we need to figure out a new way for achieving SSO, I’m trying out the token exchange flow and successfully retrieved access token refresh token and id token via this way, but it seems like there is no way for us to get session token without knowing user’s credentials even through token exchange flow?
A sessionToken is only returned from going through the Okta classic authentication pipeline (authn).
There is no way to exchange OAuth tokens for a sessionToken.
In mobile devices out of the box there are two ways to accomplish SSO,
All mobile apps use the browser redirect flow and the Okta session cookie is stored as a persistent cookie.
If using Native logins use the Okta Native SSO Token exchange flow to exchanges tokens from one app for another app.