NEED HELP: Redirect with Okta Session Token to a URL Donwload Link

lmatos · October 23, 2020, 12:42pm

Folks,

2nd time here. The 1st time I was instructed to reach out to Okta Support for a ticket but Okta Support mentioned that they work with issues, not development of code. Regardless of this, the person was able to point me to some Okta literature which help me understand what I want to do.

My company uses an online service to manage data and reports. Within this service I have custom reports which I can download directly from the URL by building an URL for the request. If I open a browser and paste this URL, the browser will download per local settings or prompt me for a location. If I try to do the same from a C# WebClient I download a file with Okta information must likely because I have not been Authenticate for the request. I have seen examples of how to redirect to an app by using the Okta Session Token obtained with Primary Auth request.

Is there a way to redirect to the download URL by using a Session Token?

Any help is welcomed, thanks!

phi1ipp · October 23, 2020, 9:21pm

You first need to understand how protection works from browser perspective: what URL/headers/params are required/sent to let you download stuff.

When you have this understanding, you may start developing a solution to reproduce the same

warren · October 27, 2020, 6:29pm

@lmatos I think you’re misunderstanding what the Okta session token does. The session token is meant to be exchanged for an Okta session cookie. https://developer.okta.com/docs/reference/api/sessions/#session-token

Are you trying to make sure the user is authenticated before giving them access to a download url?

lmatos · October 27, 2020, 6:57pm

All I am trying to do is redirect to the download url and bypass Okta signin. The App Use to download the files authenticate user using Okta I believe SAML 2.0.

I am trying to build a url which will tell okta to redirect to the download url without asking for user information. I can ask for user credentials before hand or hard code my own and use the API to get any Session Tokens/Cookies needed.

I just don’t know how the url looks. Something like this is what I need: https://developer.okta.com/docs/guides/session-cookie/#retrieving-a-session-cookie-via-openid-connect-authorization-endpoint

I am a rookie with all this and I’m trying to see what makes sense.

Any help is welcomed, thanks!

warren · October 27, 2020, 8:15pm

So if I understand correctly, you want to bypass the Okta login page when you navigate to a SAML SSO url, for example: https://yourOrg.okta.com/app/yourOrg_saml_1/appid/sso/saml

I think you’re on the right track about prompting for user credentials and retrieving a session token but you should follow this part of the guide instead:
https://developer.okta.com/docs/guides/session-cookie/overview/#initiate-a-saml-sso-with-the-session-token The RelayState parameter should be the url where you want to redirect to. You should also add it to your list of Trusted Origins in Okta.