Hello guys I’ve a question regarding OIDC SSO flow,
I plan to use okta to generate a OIDC token that my application will use to log in the user.
I want to start using the SSO link provided by okta (the link that we get when clicking in the app badge in the okta dashboard), so my users will access okta and then they’ll be redirected to my app.
My app is a static SPA. The backend of the SPA will validate the id token passed by the SPA in the Authorization header.
Does this make sense so far?
Now my problem:
The SSO link generated by okta will redirect to my app using a POST request. As I said, my app is just a SPA, so it cannot handle POST requests.
How is this usually done?
Should I stop using the SSO link? (the implicit OIDC flow redirects to my app using GET, so I don’t really know why the SSO link works in a different way)
There is any special app configuration that will allow me to change how the SSO link redirects to my app?
I’ve noticed that my app is using Send ID Token directly to app (Okta Simplified) flow instead of the Redirect to app to initiate login (OIDC Compliant).
Maybe the Okta Simplified flow doesn’t make sense with SPAs? (even though it looks very convenient).
I’m struggling to find any documentation about this particular setting so I’m as clueless as before, but at least I have a workaround: use the OIDC Compliant flow to Okta -> SPA -> Okta login -> SPA again.
Once the users are added to the SPA OIDC application in Okta, you can create a new bookmark application (Applications >> Add Applications >> search for “Bookmark App”) that will have the link to the /authorize endpoint. In the URL, you can set the response_mode to be fragment, query, form_post or okta_post_message, depending how your application is expecting them.
Once the users are added to the application and access the bookmark chiclet from the Okta dashboard, they will be redirected to your authorization server, authorized against Okta and then redirected to your application with the JWT tokens in the format you specified in response_mode.
That’d work (it can only be configured in classic admin dashboard though) but I’m still unclear on why Okta Simplified only works with POST.
Anyway, I’m using an organization managed Okta, so I don’t have freedom to create and manage applications and I think OIDC Compliant will be easier to manage. Any drawbacks you can think of either method?