Log into React SPA and then SSO in ASP.NET Core app using OIDC

I have an ASP.NET Core Razor Pages web app that uses the Authorization Code flow and Okta sign-in widget. I’m in the process of migrating to a React SPA with okta-auth-js (with PKCE). The migration will take a few months, and I’d like to allow users who log onto the React SPA to use some sort of SSO to log onto the ASP.NET Core app to access views that we haven’t migrated yet.

The ASP.NET Core app and React SPA use the same authorization server but different Okta Applications (client ids).

Can anyone give me some pointers on whether this is possible and, if so, how to get started?

@punchwalk Hi, you may need refer the doc of
For react, you need to take a look at this sdk.
If you want the new project using the old app, try link it to the old app and use the old configuration such as client_id, redirect uri.

Thanks for the reply. Unless I am mistaken, the new project cannot use the old project’s Okta application, as we want to use PKCE in accordance with security best practices, and the old app wasn’t configured to use it.

@punchwalk Then you probably need to configure the new application and refer the doc of react sdk I sent you.

From the reading the linked article, it’s not clear how using the sign-in widget would solve this problem. Can you please elaborate?

@punchwalk Did you try this react sdk? Okta Sign-In Widget Guide | Okta Developer
What is your old application type?

I got our ASP.NET Core app working with the same Okta app as the React app (using OIDC with Code+PKCE).

We use the sign-in widget on the ASP.NET Core app. I logged into the React app, then clicked a link that app that points to a secured page on the ASP.NET Core app (going from React app to the ASP.NET Core app is the prevailing use case and therefore what we’ll need to support). The ASP.NET Core app did not detect my existing session with the React app and required me to login again. Both apps are on the same domain and I confirmed that they can be both see each other’s cookies. But I’m clearly missing something and am not sure what else to try.