The scenario is that multiple clients will be granted access to the PWA with their own sub-domain. E.g.
company1.domain.com
company2.domain.com
company3.domain.com
etc.
There is also a primary URI for the app, primary.domain.com. One possible scenario where users may find themselves at this version is following links in help documentation or email notices.
I am tasked with redirecting users that sign in on primary.domain.com to their company-specific sub-domain. I am trying to determine how / if I can make this happen given the necessarily strict behavior of browser storage with respect to unique domains.
Application and Okta configuration details:
The PWA is an Angular SPA. Okta is currently configured with PKCE, Authorization Code, Implicit, and Refresh Token. Wildcard is allowed in the redirect URI. The App uses the okta-signin-widget, okta-angular, and okta-auth-js libraries. Angular version currently in use is 12, okta libraries are at their latest versions, which are:
okta-angular: 5.1.1
okta-auth-js: 6.1.0
okta-signin-widget: 6.0.1
Okta is used for user id authentication only. OktaAuthGuard is NOT used. Once a user is authenticated with Okta, additional access control is provided outside the Okta ecosystem. The application embeds the sign-in widget by calling showSignInToGetTokens, passing results to OktaAuth’s handleLoginRedirect. A custom restoreOriginalUri callback is provided in the auth configuration that is essentially a no-op (the default behavior of the library using window.location.replace caused an issue where the app would fail to proceed after authentication when in the reset password flow).
What currently happens is that upon sign in, tokens are stored in Local Storage associated with the specific domain used. Presumably, if I redirect the user post-authentication to a different sub-domain, that authentication data is no longer accessible. I can send them to their appropriate sub-domain (company subdomain slug is provided as part of the claims in the token), but now they will need to re-enter their sign in information because the domain has changed.
Until they sign in, I do not know their appropriate sub-domain, and after they sign in, changing the domain loses the authentication tokens. My knowledge of Okta’s capabilities is still low, and I have not had much luck locating potential solutions for this scenario. Any help or suggestions are appreciated!