Is it possible to get Okta session token with OAuth flow

misha · January 28, 2021, 6:23am

I can see how to get session token and session cookie via authn API.
But is it possible to get the same via OAuth flow?

Currently with OAuth flow I can only get access token
Thanks

rajnadimpalli · January 28, 2021, 6:32am

Session token is one-time bearer token that provides proof of authentication.
If you have a session token, you can use that to obtain an OAuth access token but the other way around is not possible.

Thank you,
Raj

misha · January 28, 2021, 10:58pm

Thank you for your reply @rajnadimpalli
What s the alternative? My app supports OAuth flow and I need session cookie.
Is there a way to get it without implementing webauthn?

devpascoe · March 29, 2023, 5:29am

I too have a situation where i need both sessionToken and accessToken. I can exchange sessionToken for accessToken and thats fine for API requests. But related SSO webpages which use sessionToken (/login/sessionCookieRedirect) work fine for first couple hours. But once sessionToken expires thats it. Any way to re-issue sessionToken without a full MFA process again?

andrea · March 29, 2023, 3:55pm

Be careful with mixing up the sessionToken with the session cookie that Okta will set when the sessionToken is exchanged. See this doc for the different options for exchanging a sessionToken for a full Okta session: Sessions | Okta Developer.

If the session cookie is expiring, its because the user is not actively using Okta and having is session renewed automatically, even if they may be actively using the OIDC app for which they have an Access/ID Token. This is expected behavior, as the Okta session is only needed to initially log the user into the OIDC app, but the OIDC app itself is not dependent on the Okta session.

If you really want to look into keeping it alive anyway, you can either look to extend the user’s session via policy, Enforce a limited session lifetime for all policies | Okta, or you can try to refresh the session on their behalf. Note that this final option involves CORS requests to the Okta domain from your application and your mileage may vary with browsers that block third party cookies.

system · February 13, 2024, 12:55am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.